CVE-2025-0896
Published: 13 February 2025
Summary
CVE-2025-0896 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).
Deeper analysis
Orthanc server versions prior to 1.5.8 contain a missing authentication vulnerability when remote access is enabled. The server does not activate basic authentication by default in this configuration, leaving the DICOM server exposed to network requests without any credential checks. The issue is tracked as CWE-306 and carries a CVSS 4.0 score of 9.2.
An attacker with network reachability to an affected Orthanc instance can connect without credentials and obtain full unauthorized access. Successful exploitation can result in high impact to the confidentiality, integrity, and availability of medical imaging data and related server functions.
A CISA medical advisory (ICSMA-25-037-02) addresses the issue and is available for further mitigation guidance. The associated EPSS score remains low, with a current value of 0.0164 and a peak of 0.0168.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1914
Vulnerability details
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public-facing Orthanc server (CWE-306) directly enables remote exploitation without credentials or user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Establishes and enforces remote access policies requiring authentication, directly preventing unauthorized network access to the Orthanc server when remote access is enabled.
Limits and monitors specific actions permitted without identification or authentication, mitigating the missing basic authentication for critical server functions.
Mandates secure configuration settings to enable authentication by default for remote access, addressing the Orthanc server's vulnerable default configuration.