Pixmeo OsiriX MD

MonitorCVSS 7.5ICS-CERT ICSMA-25-128-01May 8, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OsiriX MD versions 14.0.1_Build_2024-02-28 and earlier contain memory corruption vulnerabilities (CWE-416, CWE-319) that allow unauthenticated remote attackers to cause denial of service or steal stored credentials. Successful exploitation could crash the application or leak sensitive data from memory.

What this means

What could happen

An attacker could crash OsiriX MD or steal stored credentials by exploiting memory corruption vulnerabilities, potentially disrupting medical imaging operations and compromising access to patient data systems.

Who's at risk

Medical imaging departments and healthcare facilities using Pixmeo OsiriX MD for diagnostic imaging. Any organization running OsiriX MD 14.0.1 Build 2024-02-28 or earlier is vulnerable, particularly those with network-facing instances or integration with clinical workstations.

How it could be exploited

An attacker with network access to OsiriX MD (no authentication required) can send crafted network requests that trigger a memory corruption flaw, causing the application to crash (denial of service) or leak sensitive credentials stored in memory.

Prerequisites

Network connectivity to OsiriX MD instance
No credentials required
OsiriX MD version 14.0.1_Build_2024-02-28 or earlier

remotely exploitableno authentication requiredlow complexityaffects medical systemsno patch available from vendor

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

OsiriX MD: <=14.0.1_Build_2024-02-28≤ 14.0.1 Build 2024-02-28No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to OsiriX MD systems; ensure they are not directly reachable from the Internet or business networks

HARDENINGPlace OsiriX MD systems behind a firewall and isolate them from business networks and untrusted network segments

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Pixmeo to obtain and deploy the latest version of OsiriX MD beyond 14.0.1_Build_2024-02-28

HARDENINGIf remote access to OsiriX MD is required, implement a VPN with current security patches and restrict VPN access to authorized users only

CVEs (3)

CVE-2025-27578 CVE-2025-31946 CVE-2025-27720

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d595684-681e-4349-88b0-4ee9392d14b6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.