CVE-2025-2263 (CVSS 9.8): Stack Overflow Flaw Threatens Patient Data in PACS Systems, PoC Published
do son 
Multiple critical security vulnerabilities have been discovered in Sante PACS Server, a widely used DICOM 3.0 compliant PACS server. These flaws could allow attackers to gain unauthorized access, steal sensitive data, and disrupt critical services.
Sante PACS Server is a comprehensive system used in healthcare for managing medical images. It functions as a PACS server, Modality Worklist server, HTTP (web) server for DICOM files, and a CD/DVD burning and printing server. It is designed to connect to various DICOM modalities and includes the Sante PACS Viewer for image review.
Security researchers at Tenable uncovered and published technical details and proof-of-concept exploit codes for these vulnerabilities. The most severe of these flaws is a stack-based buffer overflow (CVE-2025-2263), with a critical CVSS score.
Here’s a breakdown of the key vulnerabilities:
-
CVE-2025-2263 (CVSS 9.8): Stack-Based Buffer Overflow
- During login to the web server in “Sante PACS Server.exe”, the OpenSSL function
EVP_DecryptUpdateis used to decrypt the username and password. - A fixed 0x80-byte stack-based buffer is passed to this function as the output buffer.
- A stack-based buffer overflow can occur if a long encrypted username or password is provided by an unauthenticated remote attacker.
- During login to the web server in “Sante PACS Server.exe”, the OpenSSL function
-
CVE-2025-2264 (CVSS 7.5): Path Traversal Information Disclosure
- A Path Traversal Information Disclosure vulnerability exists in “Sante PACS Server.exe”.
- An unauthenticated remote attacker can exploit this to download arbitrary files from the disk drive where the application is installed.
-
CVE-2025-2265 (CVSS 7.8): Vulnerable Password Storage
- The password of a web user in “Sante PACS Server.exe” is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db.
- However, the number of hash bytes encoded and stored is truncated if the hash contains a zero byte.
-
CVE-2025-2284 (CVSS 7.5): Denial-of-Service
- A denial-of-service vulnerability exists in the “GetWebLoginCredentials” function in “Sante PACS Server.exe”.
These vulnerabilities pose significant risks:
- Unauthorized Access: Attackers could exploit these flaws to gain unauthorized access to sensitive medical data, including patient information and medical images.
- Data Breaches: The vulnerabilities could lead to data breaches, compromising patient privacy and violating regulatory requirements like HIPAA.
- System Disruption: The denial-of-service vulnerability could allow attackers to disrupt the operation of the PACS server, impacting medical imaging workflows.
- Further Attacks: Successful exploitation of these vulnerabilities could serve as a springboard for further malicious activities within the affected systems and networks.
A solution has been provided by the vendor. Users of Sante PACS Server are strongly advised to upgrade to version 4.2.0 or later to patch these critical security flaws and protect their systems from potential attacks.
