CVE-2025-0896
📋 TL;DR
Orthanc server versions before 1.5.8 have remote access enabled without basic authentication by default, allowing attackers to access medical imaging data without credentials. This affects all deployments using default configurations with remote access enabled. Healthcare organizations using Orthanc for medical imaging storage are primarily impacted.
💻 Affected Systems
- Orthanc server
📦 What is this software?
Orthanc by Orthanc Server
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of medical imaging data including patient health information (PHI), potential data exfiltration, and unauthorized access to sensitive medical records.
Likely Case
Unauthorized viewing and potential download of medical imaging studies containing patient health information.
If Mitigated
Limited impact with proper authentication controls and network segmentation in place.
🎯 Exploit Status
Exploitation requires only network access to the Orthanc server with remote access enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.8
Vendor Advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02
Restart Required: Yes
Instructions:
1. Download Orthanc version 1.5.8 or later from official sources. 2. Stop the Orthanc service. 3. Backup configuration files. 4. Install the new version. 5. Restart the Orthanc service.
🔧 Temporary Workarounds
Enable Basic Authentication
allConfigure Orthanc to require basic authentication for all remote access
Edit Orthanc configuration file to set 'AuthenticationEnabled' to true and configure 'RegisteredUsers'
Disable Remote Access
allDisable remote access if not required
Set 'RemoteAccessAllowed' to false in Orthanc configuration
🧯 If You Can't Patch
- Implement network segmentation and firewall rules to restrict access to Orthanc server
- Deploy a reverse proxy with authentication in front of Orthanc server
🔍 How to Verify
Check if Vulnerable:
Check Orthanc version and verify if remote access is enabled without authentication configuredCheck Version:
orthanc --versionVerify Fix Applied:
Verify Orthanc version is 1.5.8 or later and attempt to access server without credentials (should be denied)📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to Orthanc API endpoints
- Multiple failed authentication attempts followed by successful unauthenticated access
Network Indicators:
- HTTP requests to Orthanc endpoints without authentication headers
- Unusual data transfer volumes from Orthanc server
SIEM Query:
source="orthanc.log" AND (event="Unauthenticated access" OR status=200 AND auth="none")