CVE-2025-30038

Summary

The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. The identifier is exposed through a built-in Windows security feature that stores additional metadata in an NTFS alternate data stream (ADS) for all files downloaded from potentially untrusted sources.

Affected Software

VendorProductVersion RangeStatus
CGMCGM CLININET0 < 2025.MS1affected

Weaknesses

  • CWE-1230: CWE-1230 Exposure of Sensitive Information Through Metadata

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References