Skip to main content
CybersecurityVulnerability Management

CVE-2025-0896: Orthanc Server Critical Vulnerability Overview

CVE-2025-0896: Orthanc Server Critical Vulnerability Overview

Summary of Orthanc Server Vulnerability

This document outlines a critical vulnerability in the Orthanc Server, specifically related to missing authentication for critical functions. The vulnerability could allow unauthorized access, leading to potential data disclosure, modification, or denial-of-service conditions.

1. EXECUTIVE SUMMARY

  • CVSS v4 Score: 9.2
  • Exploitation: Remotely exploitable with low attack complexity
  • Vendor: Orthanc
  • Equipment: Orthanc Server
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Exploitation of this vulnerability could allow attackers to access sensitive information, modify records, or disrupt services.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

  • Orthanc server: Versions prior to 1.5.8

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The Orthanc server versions before 1.5.8 do not enable basic authentication by default when remote access is enabled, leading to unauthorized access risks.

This vulnerability is identified as CVE-2025-0896, with a CVSS v3.1 base score of 9.8 and a CVSS v4 score of 9.2.

3.3 BACKGROUND

  • Critical Infrastructure Sectors: Healthcare and Public Health
  • Deployment Areas: Worldwide
  • Company Headquarters: Belgium

3.4 RESEARCHER

The vulnerability was reported by Amitay Dan to Orthanc and by Souvik Kandar to CISA.

4. MITIGATIONS

Orthanc recommends updating to the latest version or enabling HTTP authentication in the configuration file.

CISA suggests additional defensive measures, including:

  • Minimizing network exposure for control systems.
  • Using firewalls to isolate control system networks.
  • Utilizing secure remote access methods like VPNs.

Organizations should conduct impact analysis and risk assessments before implementing defensive measures.

5. UPDATE HISTORY

  • February 6, 2025: Initial Publication

For more details, visit the original article at CSAF GitHub.