Orthanc Server

Act Now9.8ICS-CERT ICSMA-25-037-02Feb 6, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Missing authentication control in Orthanc server versions prior to 1.5.8 allows unauthenticated remote access to DICOM medical imaging data. An attacker can disclose sensitive medical information, modify or delete patient records, or cause denial-of-service by accessing the HTTP interface without credentials. The vulnerability exists in the core access control logic (CWE-306: Missing Authentication for Critical Function).

What this means

What could happen

An attacker could read sensitive medical imaging data, modify patient records, or disrupt access to imaging archives in healthcare facilities. This affects the availability and integrity of critical diagnostic information.

Who's at risk

Healthcare facilities using Orthanc server for DICOM medical image storage and retrieval. This includes hospital imaging departments, radiology centers, and any facility relying on Orthanc for archival of CT, MRI, X-ray, and other diagnostic imaging data.

How it could be exploited

An attacker with network access to the Orthanc server (typically port 8042) can send unauthenticated requests to bypass access controls. No valid credentials are required. The attacker can then retrieve, modify, or delete DICOM medical images and related patient data.

Prerequisites

Network access to Orthanc server HTTP port (default 8042)
HTTP authentication not enabled in configuration
Orthanc version prior to 1.5.8

Remotely exploitableNo authentication requiredLow complexity attackAffects healthcare data integrity and availabilityDefault configuration is insecure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Orthanc server: <1.5.8<1.5.81.5.8

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnable HTTP authentication by setting 'AuthenticationEnabled': true in the Orthanc configuration file

HARDENINGRestrict network access to Orthanc server using firewall rules; limit HTTP port access to trusted medical workstations and administrative networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Orthanc to version 1.5.8 or later when available from vendor

Long-term hardening

0/1

HARDENINGIf remote access is required, deploy Orthanc behind a VPN or reverse proxy with strong authentication

CVEs (1)

CVE-2025-0896

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e45fc60-3fa5-4895-9c4c-e64e329cd2bd