FUJIFILM Healthcare Americas Synapse Mobility
Monitor4.3ICS-CERT ICSMA-25-233-01Aug 21, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
FUJIFILM Synapse Mobility versions prior to 8.2 contain an information disclosure vulnerability in the search function. The search capability does not properly enforce role-based access controls, allowing authenticated users to retrieve medical imaging studies and patient data beyond their assigned permissions (CWE-472). The vulnerability affects Synapse Mobility versions below 8.2.
What this means
What could happen
An attacker with valid login credentials could access medical imaging studies and patient information that they are not authorized to view, potentially exposing sensitive healthcare records.
Who's at risk
Healthcare organizations using FUJIFILM Synapse Mobility for medical image management and distribution should be concerned, particularly those with clinical roles that require differentiated access to patient imaging records.
How it could be exploited
An attacker authenticates with a valid user account to Synapse Mobility, then uses the search function to query for patient records or imaging studies outside their assigned role permissions. The search function does not properly enforce role-based access controls, allowing retrieval of restricted content.
Prerequisites
- Valid user credentials for Synapse Mobility
- Network access to the Synapse Mobility application
- Target deployment running version 8.2 or earlier
- Search function enabled in configurator settings
Low complexity exploitationValid authentication requiredHealthcare data exposureInadequate access controls
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Synapse Mobility: <8.2<8.28.2 or later
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDisable the search function in Synapse Mobility configurator settings
WORKAROUNDUncheck the 'Allow plain text accession number' option in the security section of the admin interface to restrict access to SecureURL feature only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Synapse Mobility to version 8.2 or later
Long-term hardening
0/1HARDENINGIsolate Synapse Mobility systems from internet-facing networks using firewall rules and network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f0c5e703-0676-4b23-b1df-36fc471b998d