Author: Chizuru Toyama, TXOne Research
Background
Modern healthcare relies heavily on digital technology to streamline workflows and enhance patient care. One critical component in this digital ecosystem is the Picture Archiving and Communication System (PACS). PACS is a networked system used to electronically store, retrieve, manage, and share medical images. It replaces traditional film-based methods, eliminating the need for physical storage and manual handling of medical images.
By digitizing imaging processes, PACS enables healthcare professionals to instantly access images from various locations and devices. This not only speeds up diagnosis and treatment but also fosters better collaboration among medical teams.
Closely tied to PACS is the Digital Imaging and Communications in Medicine (DICOM) standard. DICOM defines the format and communication protocols for medical images and associated data, such as patient information and imaging parameters. A DICOM file can contain anything from an MRI scan to the details about the equipment used during imaging.
What sets DICOM apart is its focus on interoperability. It ensures that devices and systems from different vendors can seamlessly exchange and interpret imaging data, making it a cornerstone of modern medical imaging infrastructure.
Exposure of PACS and DICOM
As of April 2025, numerous PACS servers and DICOM nodes were found to be accessible online, making them vulnerable to cyber threats. This internet exposure can lead to unauthorized access to sensitive patient records and medical images, potentially compromising patient privacy and healthcare integrity.
Internet-Exposed PACS servers
Internet-Exposed DICOM nodes
Newly Found Vulnerabilities
MedDream PACS Servers
MedDream PACS servers, known for their cross-platform compatibility and web-based viewing capabilities, are affected by several critical vulnerabilities:
These vulnerabilities allow attackers to execute arbitrary code, potentially gaining control over the PACS server and accessing sensitive medical data.
Sante PACS Servers
Sante PACS servers, which support full DICOM functionality and web-based viewing, have been found with several vulnerabilities:
These vulnerabilities can lead to arbitrary file writes and denial-of-service attacks, compromising the security and availability of medical data.
Osirix PACS Servers
Osirix PACS servers, exclusive to macOS, have been identified with several vulnerabilities:
| CVE | Vulnerability | CVSSv4 |
| CVE-2025-27578 | • Pixmeo Osirix MD DICOM C-STORE Use-After-Free Denial-of-Service Vulnerability • Pixmeo Osirix MD XML-RPC DownloadURL Use-After-Free Denial-of-Service Vulnerability • Pixmeo Osirix MD Web Portal Upload File Use-After-Free Denial-of-Service Vulnerability • Pixmeo Osirix MD DICOMweb WADO Use-After-Free Denial-of-Service Vulnerability |
8.7 |
| CVE-2025-31946 | Pixmeo Osirix MD osirix://” URL Use-After-Free Denial-of-Service Vulnerability | 6.9 |
| CVE-2025-27720 | Pixmeo Osirix MD Cleartext Transmission of Sensitive Information Vulnerability | 9.3 |
These vulnerabilities can be exploited to disrupt the functionality of PACS servers, leading to denial-of-service attacks and potential data breaches.
Mitigations
To protect against these vulnerabilities, healthcare providers should implement the following measures:
- Use Firewalls and VPNs: Place PACS servers behind firewalls and require VPNs for remote access. Restrict incoming DICOM communication and enforce TLS encryption.
- Update and Patch Systems: Regularly update PACS servers with the latest security patches to protect against known vulnerabilities.
- Access Control: Ensure that only authorized personnel can access and modify DICOM files. Implement role-based access control (RBAC), multi-factor authentication (MFA), and strong password policies.
- Continuous Monitoring: Monitor PACS servers for unusual activity or potential security breaches. Utilize audit logs, user activity tracking, and network traffic analysis.
- Educate Staff: Train healthcare and IT staff on the importance of PACS security and the risks associated with exposed servers and DICOM files. Promote awareness of phishing attempts and secure access practices.
All products from TXOne Networks incorporate the updated signature rules for these vulnerabilities to protect your devices from potential attacks. We have also listed the rules below:
| Rule ID | Vulnerability | CVE |
| 1236634 | ICS Pixmeo Osirix MD Cleartext Transmission of Sensitive Information Vulnerability | CVE-2025-27720 |
| 1236614 | ICS Pixmeo Osirix MD DICOM C-STORE Use-After-Free Denial-of-Service Vulnerability | CVE-2025-27578 |
| 1236621 | ICS Pixmeo Osirix MD Web Portal Upload File Use-After-Free Denial-of-Service Vulnerability | CVE-2025-27578 |
| 1236623 | ICS Pixmeo Osirix MD DICOMweb WADO Use-After-Free Denial-of-Service Vulnerability | CVE-2025-27578 |
| 1236625 | ICS Pixmeo Osirix MD URL Scheme Use-After-Free Denial-of-Service Vulnerability | CVE-2025-31946 |
| 1236632 | ICS MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability | CVE-2025-3480 |
| 1236626 | ICS MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability | CVE-2025-3481 |
| 1236627 | ICS MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability | CVE-2025-3482 |
| 1236628 | ICS MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability | CVE-2025-3483 |
| 1236629 | ICS MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability | CVE-2025-3484 |
| 1236615 | ICS Sante PACS Server DICOM C-STORE Denial-of-Service Vulnerability | CVE-2025-0568, CVE-2025-0569 |
| 1236620 | ICS Sante PACS Server Web Portal Upload File Denial-of-Service Vulnerability | CVE-2025-0570, CVE-2025-0571 |
| 1236617 | ICS Sante PACS Server Web Portal DCM File Parsing Directory Traversal Arbitrary File Write Vulnerability | CVE-2025-0572 |
| 1236616 | ICS Sante PACS Server DCM File Parsing Directory Traversal Arbitrary File Write Vulnerability | CVE-2025-0573 |
| 1236636 | ICS Sante PACS Server URL path Denial-of-Service Vulnerability | CVE-2025-0574 |
These signatures help detect and block exploitation attempts, ensuring robust security for healthcare environments.
Conclusion
The discovery of vulnerabilities in PACS and DICOM systems highlights the urgent need for enhanced cybersecurity in healthcare. By proactively addressing these risks and implementing comprehensive security measures, healthcare providers can protect patient data and maintain the integrity of their imaging infrastructure.
Reference
Cybersecurity & Infrastructure Security Agency. (2025, May 8). ICS Medical Advisory | ICSMA-25-128-01: Pixmeo OsiriX MD. https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01
