Multiple vulnerabilities in Sante PACS Server

Published: 2025-03-17

Risk	High
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2025-2263 CVE-2025-2264 CVE-2025-2265 CVE-2025-2284
CWE-ID	CWE-121 CWE-22 CWE-916 CWE-824
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available.
Vulnerable software	PACS Server Server applications / Other server solutions
Vendor	Santesoft

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Stack-based buffer overflow

EUVDB-ID: #VU105785

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2025-2263

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the EVP_DecryptUpdate function. A remote unauthenticated attacker can #CONDITION2#, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PACS Server: 4.1.0

CPE2.3

cpe:2.3:a:santesoft:pacs_server:4.1.0:*:*:*:*:*:*:*

External links

https://www.tenable.com/security/research/tra-2025-08

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Path traversal

EUVDB-ID: #VU105787

Risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2025-2264

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in "Sante PACS Server.exe". A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PACS Server: 4.1.0

CPE2.3

cpe:2.3:a:santesoft:pacs_server:4.1.0:*:*:*:*:*:*:*

External links

https://www.tenable.com/security/research/tra-2025-08

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Use of Password Hash With Insufficient Computational Effort

EUVDB-ID: #VU105788

Risk: Low

CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2025-2265

CWE-ID: CWE-916 - Use of Password Hash With Insufficient Computational Effort

Exploit availability: Yes

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to use of a weak hash algorithm in "Sante PACS Server.exe". A local user can decode credentials and gain unauthenticated access to the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PACS Server: 4.1.0

CPE2.3

cpe:2.3:a:santesoft:pacs_server:4.1.0:*:*:*:*:*:*:*

External links

https://www.tenable.com/security/research/tra-2025-08

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Access of Uninitialized Pointer

EUVDB-ID: #VU105789

Risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2025-2284

CWE-ID: CWE-824 - Access of Uninitialized Pointer

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized pointer in the "GetWebLoginCredentials" function in "Sante PACS Server.exe". A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PACS Server: 4.1.0

CPE2.3

cpe:2.3:a:santesoft:pacs_server:4.1.0:*:*:*:*:*:*:*

External links

https://www.tenable.com/security/research/tra-2025-08

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.