Santesoft Sante PACS Server

Plan PatchCVSS 7.5ICS-CERT ICSMA-25-224-01Aug 12, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Santesoft Sante PACS Server versions prior to 4.2.3 contain multiple vulnerabilities including path traversal (CWE-22), use-after-free memory corruption (CWE-415), cleartext transmission of sensitive data (CWE-319), and reflected cross-site scripting (CWE-79). Successful exploitation could allow an attacker to create arbitrary files on the server, cause denial of service, obtain sensitive information, and steal session cookies to impersonate users. The vulnerabilities require only network access and no authentication.

What this means

What could happen

An attacker could disrupt your PACS server's availability, potentially making medical imaging studies inaccessible to clinical staff. The attacker could also create unauthorized files on the system or steal session information to impersonate legitimate users.

Who's at risk

Healthcare facilities using Sante PACS Server for medical imaging storage and retrieval should prioritize this update. Clinical staff depend on PACS availability for diagnostic imaging access; operational disruption impacts patient care workflows.

How it could be exploited

An attacker with network access to the PACS server (typically from the hospital network or Internet if exposed) could send specially crafted requests to exploit path traversal, memory corruption, or insecure transmission flaws to write files, trigger a denial of service, or extract sensitive data without authentication.

Prerequisites

Network access to the Sante PACS Server web interface (typically port 80 or 443)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexitydenial of service potentialdata theft potential

Exploitability

Some exploitation risk — EPSS score 1.4%

Affected products (1)

ProductAffected VersionsFix Status

Sante PACS Server: <4.2.3<4.2.34.2.3

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the PACS server to only trusted workstations and imaging devices; do not expose it directly to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Sante PACS Server to version 4.2.3 or later

Long-term hardening

0/2

HARDENINGSegment the PACS network behind a firewall, isolating it from general business network traffic

HARDENINGIf remote access to PACS is required, use a VPN gateway rather than direct Internet exposure

CVEs (5)

CVE-2025-0572 CVE-2025-53948 CVE-2025-54156 CVE-2025-54862 CVE-2025-54759

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d83ea878-a6d2-4afa-8e8f-96f0d1840b89

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.