AI Finds 38 Security Flaws in OpenEMR, Threatening 100K Providers

Security researchers using an AI‑driven code analysis platform identified 38 distinct vulnerabilities in the OpenEMR electronic health record (EHR) system, including 12 rated critical and 20 high‑severity flaws. The flaws span SQL injection, command injection, insecure deserialization, and broken authentication mechanisms in components that are active in more than 100,000 medical practices, clinics, and hospitals worldwide. If exploited, the weaknesses could allow attackers to compromise the underlying database, execute arbitrary code on server infrastructure, and exfiltrate protected health information (PHI).

The most dangerous issues reside in the patient portal, the REST API used for third‑party integrations, and the administrative dashboard. For example, a blind SQL injection in the /interface/billing/billing_report.php endpoint could be leveraged to dump the entire patient table, exposing names, dates of birth, Social Security numbers, and diagnosis codes. An insecure file‑upload function in the /interface/modules/zend_modules/module/Installer/src/Installer/Controller/InstallerController.php permits unrestricted .php file upload, enabling remote code execution via a malicious payload. Additionally, hard‑coded API keys in the OpenEMR’s OAuth2 implementation allow attackers to bypass authentication and issue privileged API calls. The AI tool also flagged missing TLS certificate validation in the telehealth module, exposing session tokens to man‑in‑the‑middle attacks.

OpenEMR’s development team was notified on 15 January 2025 and released version 7.0.2 on 3 February 2025, addressing all 38 CVEs, including CVE‑2025‑XXXXX through CVE‑2025‑YYYYY. Healthcare organizations are urged to apply the patch immediately, enforce multi‑factor authentication on all accounts, and deploy a web application firewall to filter injection attempts. Network segmentation of EHR servers and continuous monitoring for Indicators of Compromise—such as unexpected outbound DNS requests or anomalous database query patterns—are essential to mitigate the risk of data theft or ransomware deployment.

The discovery underscores the growing convergence of AI‑based vulnerability research and the healthcare sector’s expanding attack surface. As more providers rely on open‑source EHR platforms, proactive security assessments and rapid patch management become critical to safeguarding patient data. Security teams should integrate AI‑driven static analysis into their CI/CD pipelines to identify similar flaws early, reducing the window of exposure before adversaries can weaponize them.