healthcare - TrustStrike Labs

vulnerability

CVE-2026-24898 CVE-2026-24908 CVE-2026-23627 CVE-2026-24487

2026-04-29

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

openemr aisle ai-security healthcare ehr sql-injection unauthenticated 100k-providers 200m-patients hipaa

Check: If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected: OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix: Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

threat

2026-04-06

Microsoft exposes Storm-1175 - China-based ransomware group deploying Medusa with zero-day exploits in under 24 hours

Microsoft Threat Intelligence published a detailed report on Storm-1175, a China-based financially motivated group that deploys Medusa ransomware at extreme speed - sometimes moving from initial access to full ransomware deployment within 24 hours. The group exploits internet-facing systems using a mix of zero-day and recently disclosed (n-day) vulnerabilities, having weaponized over 16 flaws across 10 products since 2023. Two vulnerabilities were exploited as zero-days a full week before public disclosure. Recent targets include healthcare, education, finance, and professional services organizations in the US, UK, and Australia. Their playbook: exploit a web-facing flaw, create persistence via new accounts and web shells, steal credentials with Mimikatz, disable Defender via registry modifications, exfiltrate data with Rclone, then deploy Medusa across the network.

storm-1175 medusa ransomware china zero-day healthcare n-day-exploitation

Check: Review your internet-facing asset inventory. Storm-1175 specifically scans for exposed web applications running Exchange, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Affected: Organizations running any of: Microsoft Exchange, Ivanti Connect Secure/Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, BeyondTrust, Oracle WebLogic - especially if internet-facing and not fully patched.
Fix: Patch all internet-facing systems immediately - Storm-1175 weaponizes new CVEs within days. Enable tamper protection on Microsoft Defender and set DisableLocalAdminMerge to prevent attackers from adding antivirus exclusions. Monitor for credential theft indicators (LSASS access, WDigest caching). Block Rclone and unauthorized RMM tools at the perimeter. Prioritize alerts for new account creation and web shell deployment.

breach

2026-03-31

CareCloud confirms hackers accessed patient health records in 8-hour breach

Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.

carecloud healthcare ehr data-breach hipaa

Check: If your organization uses CareCloud Health for EHR, contact CareCloud for specifics on whether your environment was affected.
Affected: CareCloud Health EHR platform users. One of six EHR environments was compromised.
Fix: Monitor for CareCloud's breach notification updates. Review access logs for unusual activity around March 16. Ensure MFA is enforced on all EHR system access. Prepare for potential patient notification requirements.