CVE-2025-32967
MEDIUMOpenEMR < 7.0.3.4 - Insufficient Logging of Password Change Events
Title source: llmDescription
OpenEMR is a free and open source electronic health records and medical practice management application. A logging oversight in versions prior to 7.0.3.4 allows password change events to go unrecorded on the client-side log viewer, preventing administrators from auditing critical actions. This weakens traceability and opens the system to undetectable misuse by insiders or attackers. Version 7.0.3.4 contains a patch for the issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/openemr/openemr/security/advisories/GHSA-7qj6-jxfc-xw4v
Scores
CVSS v3
5.4
EPSS
0.0080
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-778
Status
published
Products (1)
open-emr/openemr
< 7.0.3.4
Published
May 23, 2025
Tracked Since
Feb 18, 2026