INFINITT Healthcare INFINITT PACS

Plan PatchCVSS 7.5ICS-CERT ICSMA-25-100-01Apr 10, 2025

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

INFINITT PACS System Manager versions 3.0.11.5_BN9 and earlier contain file upload and unauthorized resource access vulnerabilities that could enable arbitrary code execution or information disclosure. The vulnerabilities stem from insufficient input validation (CWE-434) and sensitive data exposure (CWE-497). INFINITT PACS ULite is not affected. The vendor has released version 3.0.11.5_BN10 with default security patches addressing these flaws.

What this means

What could happen

An attacker could upload malicious files or access sensitive patient data and system configurations on INFINITT PACS servers, potentially leading to arbitrary code execution or disclosure of protected health information (PHI).

Who's at risk

Healthcare facilities operating INFINITT PACS System Manager for medical image archival and retrieval. This affects clinical and administrative staff who depend on PACS for diagnostic imaging workflows. Patient privacy and system integrity are at risk.

How it could be exploited

An attacker with network access to the INFINITT PACS System Manager could upload a malicious file through an unrestricted file upload vulnerability or exploit insufficient input validation to access unauthorized system resources and execute code on the server.

Prerequisites

Network access to INFINITT PACS System Manager port/interface
No authentication required to exploit file upload vulnerability
System running INFINITT PACS System Manager version 3.0.11.5_BN9 or earlier

remotely exploitableno authentication required for file uploadlow complexity exploitaffects healthcare systems handling protected health informationexposure to patient data disclosure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

INFINITT PACS System Manager: <=3.0.11.5_BN9≤ 3.0.11.5 BN93.0.11.5_BN10+

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict network access to INFINITT PACS servers using firewall rules; do not expose PACS systems directly to the internet

HARDENINGConfigure INFINITT PACS System Manager file upload restrictions to block unauthorized file types and uploads

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate INFINITT PACS System Manager to version 3.0.11.5_BN10 or later

HARDENINGEnforce strong password policies on INFINITT PACS System Manager accounts

HARDENINGEnable and monitor audit logging on INFINITT PACS servers to detect unauthorized access attempts

HOTFIXIf INFINITT ULite is integrated with INFINITT PACS, apply the same patch to secure the combined environment

CVEs (3)

CVE-2025-27714 CVE-2025-24489 CVE-2025-27721

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7af98fda-895c-4ec7-844c-998dc87119bb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.