INFINITT Healthcare INFINITT PACS

Plan Patch7.5ICS-CERT ICSMA-25-100-01Apr 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

INFINITT PACS System Manager versions 3.0.11.5_BN9 and earlier contain multiple vulnerabilities (CVE-2025-27714, CVE-2025-24489, CVE-2025-27721) that allow attackers to upload malicious files, access unauthorized system resources, and potentially execute arbitrary code or disclose sensitive information. The vulnerabilities are related to unrestricted file upload (CWE-434) and information exposure (CWE-497). Version 3.0.11.5_BN10 and later are not affected. INFINITT ULite is not affected unless operating as an integrated system with the vulnerable PACS System Manager.

What this means

What could happen

An attacker could upload malicious files to the PACS system or access sensitive patient imaging data and system information without authentication, potentially compromising healthcare operations or exposing protected health information (PHI).

Who's at risk

Healthcare organizations using INFINITT PACS System Manager should care about this vulnerability. PACS (Picture Archiving and Communication System) is critical infrastructure in hospitals and imaging centers, storing and serving medical images. Compromise could disrupt patient imaging workflows, expose protected health information, or allow attackers to modify or delete patient records.

How it could be exploited

An attacker on the network sends a specially crafted request to the PACS System Manager to upload a malicious file or access restricted system resources. Since authentication is not required and the attack can be performed over the network, the attacker could execute code on the PACS server or retrieve unauthorized data.

Prerequisites

Network access to the PACS System Manager (default or custom port)
No credentials required

remotely exploitableno authentication requiredlow complexityaffects healthcare operations and patient datano patch available for current versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

INFINITT PACS System Manager: <=3.0.11.5_BN9≤ 3.0.11.5 BN93.0.11.5_BN10 or later

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDConfigure System Manager settings to restrict unauthorized file uploads and validate file types and sizes

HARDENINGEnforce strong password policies for all PACS system accounts and enable logging to monitor for unauthorized access attempts

HARDENINGPlace PACS servers behind firewalls and restrict network access to authorized clinical workstations and imaging devices only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade INFINITT PACS System Manager to version 3.0.11.5_BN10 or later

HOTFIXIf INFINITT ULite is integrated with the vulnerable PACS System Manager, apply the same patches and mitigations to secure the combined environment

Long-term hardening

0/1

HARDENINGIf remote access to PACS is required, use a VPN and ensure it is kept updated to the latest version

CVEs (3)

CVE-2025-27714 CVE-2025-24489 CVE-2025-27721

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7af98fda-895c-4ec7-844c-998dc87119bb