CVE-2025-2265
📋 TL;DR
This vulnerability in Sante PACS Server allows attackers to bypass authentication by exploiting password hash truncation. When a password's SHA1 hash contains a zero byte, only the portion before that zero gets stored, enabling hash collision attacks. This affects all systems running vulnerable versions of Sante PACS Server.
💻 Affected Systems
- Sante PACS Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through authentication bypass, allowing unauthorized access to medical imaging data and potential patient data exfiltration.
Likely Case
Unauthorized access to the PACS system by attackers who can generate passwords with SHA1 hashes containing zero bytes, leading to medical data confidentiality breach.
If Mitigated
Limited impact if strong network segmentation, monitoring, and multi-factor authentication are in place to detect and prevent unauthorized access attempts.
🎯 Exploit Status
Exploitation requires understanding of the hash truncation behavior and ability to generate passwords with specific SHA1 hash characteristics.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.santesoft.com/security-advisories
Restart Required: No
Instructions:
1. Download latest patched version from SanteSoft 2. Backup current configuration and data 3. Install update following vendor instructions 4. Verify password hashes are properly stored in HTTP.db
🔧 Temporary Workarounds
Password Policy Enforcement
allImplement password policy requiring complex passwords less likely to produce SHA1 hashes with zero bytes
🧯 If You Can't Patch
- Implement network segmentation to isolate PACS server from untrusted networks
- Enable detailed authentication logging and monitor for failed/successful login anomalies
🔍 How to Verify
Check if Vulnerable:
Check HTTP.db SQLite database for truncated password hashes by examining hash length and content in USER tableCheck Version:
Check Sante PACS Server version in application interface or installation directoryVerify Fix Applied:
Verify new password hashes are full 28-character base64 strings without truncation in HTTP.db📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from same IP
- Successful logins with unusual timing patterns
Network Indicators:
- Unusual authentication traffic patterns to PACS web interface
SIEM Query:
source="pacs_server" AND (event_type="authentication" AND result="success") | stats count by user, src_ip | where count > threshold