Cyber Resilience

CVE-2024-1863

Critical

Published: 01 April 2024

Published
01 April 2024
Modified
08 August 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0613 91.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1863 is a critical-severity SQL Injection (CWE-89) vulnerability in Santesoft Sante Pacs Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Sante PACS Server contains a SQL injection vulnerability in its token endpoint that permits remote code execution. The flaw occurs when the server processes HTTP requests on port 3000 and fails to validate the user-supplied token parameter before incorporating it into SQL queries, allowing an unauthenticated attacker to execute arbitrary code in the context of the NETWORK SERVICE account. The issue was reported as ZDI-CAN-21539 and carries a CVSS v3 score of 9.8.

Remote attackers require no authentication or user interaction to exploit the vulnerability. By sending a crafted request containing malicious SQL syntax in the token parameter, an attacker can achieve full control over the affected system, including reading, modifying, or deleting data and executing operating-system commands.

The Zero Day Initiative advisory ZDI-24-193 describes the issue and is the primary public reference for affected versions and remediation guidance. The EPSS score has remained flat at 0.0613 since disclosure with no observed increase.

EU & UK References

Vulnerability details

Sante PACS Server Token Endpoint SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the processing of HTTP requests on port 3000. When parsing the token parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-21539.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

santesoft
sante pacs server
≤ 3.3.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References