Orthanc Server

Plan PatchCVSS 9.8ICS-CERT ICSMA-25-037-02Feb 6, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Orthanc server versions before 1.5.8 are vulnerable to unauthenticated access to the HTTP API (CWE-306: Missing Authentication for Critical Function). The vulnerability allows an attacker to access the API without providing valid credentials, potentially disclosing sensitive DICOM patient imaging data, modifying medical records, or causing denial of service.

What this means

What could happen

An attacker without credentials could read sensitive medical imaging data, modify patient records, or disrupt imaging services by exploiting missing authentication controls on the Orthanc server.

Who's at risk

Healthcare facilities and medical imaging departments using Orthanc DICOM server for storing and managing radiological images should assess this risk. This impacts any organization relying on Orthanc for archiving and retrieval of patient imaging records.

How it could be exploited

An attacker on the network or internet sends an unauthenticated HTTP request to the Orthanc server API endpoint. Because HTTP authentication is not enabled by default, the server processes the request and returns sensitive DICOM data or allows modification of records without verifying the attacker's identity.

Prerequisites

Network access to the Orthanc HTTP API (typically port 8042 or custom port)
HTTP authentication must not be enabled in the Orthanc configuration

remotely exploitableno authentication requiredlow complexityaffects healthcare records and patient datadefault configuration is insecure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Orthanc server: <1.5.8<1.5.81.5.8

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnable HTTP authentication by setting 'AuthenticationEnabled': true in the Orthanc configuration file

HARDENINGRestrict network access to the Orthanc API port (default 8042) to trusted medical workstations and applications only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Orthanc server to version 1.5.8 or later

Long-term hardening

0/1

HARDENINGIsolate the Orthanc server from direct internet access and place it behind a firewall or VPN gateway

CVEs (1)

CVE-2025-0896

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e45fc60-3fa5-4895-9c4c-e64e329cd2bd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.