PatchSiren cyber security CVE debrief
CVE-2025-54551 FUJIFILM Healthcare Americas Corporation CVE debrief
CVE-2025-54551 is a privilege escalation issue in FUJIFILM Healthcare Americas Synapse Mobility versions prior to 8.2. According to the advisory, an attacker may bypass authentication and access information beyond role-based access controls. The vendor and CISA describe upgrade and configuration-based mitigations, and patches are available for supported affected versions.
- Vendor
- FUJIFILM Healthcare Americas Corporation
- Product
- Synapse Mobility
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-21
- Original CVE updated
- 2025-08-21
- Advisory published
- 2025-08-21
- Advisory updated
- 2025-08-21
Who should care
Administrators and security teams responsible for FUJIFILM Healthcare Americas Synapse Mobility deployments, especially environments that rely on the application for controlled access to protected healthcare information.
Technical summary
The advisory describes an external control of a Web parameter that can be abused to elevate privileges. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, which aligns with a network-reachable issue requiring low privileges and no user interaction. The impact described in the advisory is authentication bypass and access to information beyond role-based access controls. Affected versions are prior to 8.2; patches are noted for versions 8.0-8.1.1, and the vendor also provides temporary mitigation steps.
Defensive priority
Medium priority: plan to upgrade to 8.2 or later as soon as practical, or apply the documented mitigations immediately if upgrade cannot happen right away.
Recommended defensive actions
- Upgrade Synapse Mobility to version 8.2 or later.
- If you cannot upgrade immediately, disable the search function in the configurator settings.
- Remove access to the search function for all users by unchecking the "Allow plain text accession number" option in the admin security settings.
- Use the SecureURL feature as the only allowed access path when applying the temporary mitigation.
- Apply the vendor patches released for versions 8.0-8.1.1 if you are on a supported affected release.
- If the product is past end of support, follow the vendor guidance to update to the latest available version.
- Validate that role-based access controls are enforced after remediation.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSMA-25-233-01 and the supplied vendor description. The source states that Synapse Mobility versions prior to 8.2 contain a privilege escalation vulnerability through external control of a Web parameter. It also states that exploitation could allow authentication bypass and access beyond role-based access controls. Mitigations listed in the source include upgrading to 8.2 or later, disabling the search function in configurator settings, unchecking "Allow plain text accession number," and using SecureURL only. The supplied enrichment marks the CVE as not in CISA KEV.
Official resources
-
CVE-2025-54551 CVE record
CVE.org
-
CVE-2025-54551 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSMA-25-233-01 and the CVE record on 2025-08-21 06:00:00Z, with the supplied source showing an initial publication on that date. The provided enrichment does not list the issue in CISA KEV, and no exploitation timeline is in