Philips Vue PACS (Update A)

Act Now6.8ICS-CERT ICSMA-24-200-01Jul 18, 2024

Attack VectorAdjacent

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Philips Vue PACS contains resource exhaustion and information exposure vulnerabilities that could allow an attacker with administrative credentials and local network access to gain unauthorized access to the PACS database, impact system availability, compromise data integrity, or cause denial-of-service conditions. The vulnerability affects Vue PACS versions prior to 12.2.8.410.

What this means

What could happen

An attacker with administrative access to the Vue PACS network could exploit these vulnerabilities to access the PACS database directly, potentially disrupting medical imaging operations, altering patient records, or taking the system offline. This impacts diagnostic and treatment capabilities at the hospital.

Who's at risk

Hospital IT and clinical engineering staff managing Philips Vue PACS systems (medical imaging/PACS workstations and servers). This affects diagnostic imaging operations including CT, MRI, X-ray, and ultrasound departments that depend on PACS for image storage, retrieval, and diagnostic workflow.

How it could be exploited

An attacker with administrative credentials and access to the local Vue PACS network segment would exploit CWE-770 (resource exhaustion) or CWE-1392 (information exposure) flaws to bypass intended access controls and connect directly to the backend database, circumventing application-level security controls.

Prerequisites

Administrative credentials for Vue PACS system
Network access to Vue PACS local network segment
Knowledge of underlying database configuration
Vue PACS version prior to 12.2.8.410

Credentials required (administrative access)Local network access requiredEPSS score at 10.5% (moderate exploit probability)High CVSS score (6.8)Affects healthcare critical systemNo patch available (end-of-life for affected versions)

Exploitability

High exploit probability (EPSS 10.5%)

Affected products (1)

ProductAffected VersionsFix Status

Vue PACS: <12.2.8.410<12.2.8.41012.2.8.410

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation to restrict Vue PACS administrative access to authorized engineering workstations only; configure firewall rules per Philips D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide

HARDENINGRestrict database access to only required service accounts; audit and disable unnecessary database ports and protocols per Philips hardening guide

HARDENINGEnable administrative access logging and audit trails for all Vue PACS administrative activities

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Vue PACS to version 12.2.8.410 or later

HOTFIXFor managed services customers, contact local Philips sales representative to request release availability

CVEs (2)

CVE-2021-28165 CVE-2023-40704

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a673a024-90f9-4e1b-9a69-5199c2427070