Pixmeo OsiriX MD

Monitor7.5ICS-CERT ICSMA-25-128-01May 8, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OsiriX MD contains a use-after-free vulnerability (CWE-416) and unencrypted credential transmission (CWE-319) that could allow an attacker to cause memory corruption resulting in denial-of-service or credential theft. The vulnerability affects OsiriX MD versions 14.0.1_Build_2024-02-28 and earlier.

What this means

What could happen

An attacker with network access could crash the OsiriX MD imaging workstation, disrupting diagnostic workflows, or intercept and steal credentials used for system access. Neither scenario affects direct control of medical devices, but both degrade system availability and security.

Who's at risk

Hospital IT and clinical engineering teams managing OsiriX MD DICOM imaging workstations. This affects diagnostic imaging workflow availability and credential security, impacting radiologists and any staff relying on diagnostic imaging for patient care decisions.

How it could be exploited

An attacker on the same network could send a crafted network request to OsiriX MD that triggers the use-after-free condition, crashing the application. Alternatively, by intercepting unencrypted network traffic, the attacker could capture login credentials transmitted in plaintext during authentication.

Prerequisites

Network connectivity to OsiriX MD (port and protocol not specified in advisory)
For credential theft: ability to intercept network traffic (same network segment or network path between client and server)

remotely exploitableno authentication required for DoS exploitationlow complexityunencrypted credential transmissionno patch available (end-of-life product)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

OsiriX MD: <=14.0.1_Build_2024-02-28≤ 14.0.1 Build 2024-02-28No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDeploy firewall rules to restrict network access to OsiriX MD systems to only authorized clients and protocols

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OsiriX MD to the latest available version from Pixmeo

Long-term hardening

0/2

HARDENINGSegment the OsiriX MD imaging workstations onto a separate network from general IT infrastructure to limit attacker access

HARDENINGIf remote access to OsiriX MD is required, implement a VPN or jump-host architecture rather than direct network exposure

CVEs (3)

CVE-2025-27578 CVE-2025-31946 CVE-2025-27720

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d595684-681e-4349-88b0-4ee9392d14b6