CVE-2025-54861 – A reflected cross-site scripting vulnerability ... (How to Fix)

📋 TL;DR

A reflected cross-site scripting vulnerability in MedDream PACS Premium allows attackers to execute arbitrary JavaScript code by tricking users into clicking malicious URLs. This affects healthcare organizations using MedDream PACS Premium 7.3.6.870 for medical imaging. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

MedDream PACS Premium

Versions: 7.3.6.870

Operating Systems: All platforms running MedDream PACS Premium

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the modifyCoercion functionality. Requires user interaction (clicking malicious link).

📦 What is this software?

Pacs Server by Meddream

View all CVEs affecting Pacs Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full system access, exfiltrates patient medical data, and potentially modifies medical images or records.

🟠

Likely Case

Attacker steals user session cookies to access patient data, performs phishing attacks, or redirects users to malicious sites.

🟢

If Mitigated

Attack limited to stealing non-sensitive session data if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires social engineering to deliver malicious URL. No authentication required to trigger vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact MedDream vendor for patch availability
2. Apply vendor-provided patch when available
3. Test in non-production environment first
4. Deploy to production systems

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with XSS protection rules to block malicious requests

Input Validation

all

Implement server-side input validation for modifyCoercion parameters

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Deploy network segmentation to isolate MedDream PACS from internet access

🔍 How to Verify

Check if Vulnerable:

Test modifyCoercion endpoint with XSS payloads like <script>alert('test')</script> in URL parameters

Check Version:

Check MedDream PACS version in administration interface or configuration files

Verify Fix Applied:

Verify input validation sanitizes script tags and output encoding is properly applied

📡 Detection & Monitoring

Log Indicators:

Unusual modifyCoercion requests with script tags or JavaScript code in parameters
Multiple failed login attempts following XSS payload requests

Network Indicators:

HTTP requests to modifyCoercion with suspicious parameters
Outbound connections to unknown domains after XSS execution

SIEM Query:

source="meddream_logs" AND uri="*modifyCoercion*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-54861

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.4th percentile)

Published: January 20, 2026

Last Updated: January 29, 2026

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2262 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54861, you might also want to check these: