Cyber Resilience

CVE-2025-0896

Critical

Published: 13 February 2025

Published
13 February 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0164 82.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0896 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Orthanc-Server Orthanc. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).

Deeper analysis

Orthanc server versions prior to 1.5.8 contain a missing authentication vulnerability when remote access is enabled. The server does not activate basic authentication by default in this configuration, leaving the DICOM server exposed to network requests without any credential checks. The issue is tracked as CWE-306 and carries a CVSS 4.0 score of 9.2.

An attacker with network reachability to an affected Orthanc instance can connect without credentials and obtain full unauthorized access. Successful exploitation can result in high impact to the confidentiality, integrity, and availability of medical imaging data and related server functions.

A CISA medical advisory (ICSMA-25-037-02) addresses the issue and is available for further mitigation guidance. The associated EPSS score remains low, with a current value of 0.0164 and a peak of 0.0168.

EU & UK References

Vulnerability details

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public-facing Orthanc server (CWE-306) directly enables remote exploitation without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5445Same product: Orthanc-Server Orthanc
CVE-2026-5442Same product: Orthanc-Server Orthanc
CVE-2026-5443Same product: Orthanc-Server Orthanc
CVE-2026-5439Same product: Orthanc-Server Orthanc
CVE-2026-5437Same product: Orthanc-Server Orthanc
CVE-2026-5441Same product: Orthanc-Server Orthanc
CVE-2026-5440Same product: Orthanc-Server Orthanc
CVE-2026-5438Same product: Orthanc-Server Orthanc
CVE-2026-5444Same product: Orthanc-Server Orthanc
CVE-2025-21515Shared CWE-306

Affected Assets

orthanc-server
orthanc
≤ 1.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces remote access policies requiring authentication, directly preventing unauthorized network access to the Orthanc server when remote access is enabled.

prevent

Limits and monitors specific actions permitted without identification or authentication, mitigating the missing basic authentication for critical server functions.

prevent

Mandates secure configuration settings to enable authentication by default for remote access, addressing the Orthanc server's vulnerable default configuration.

References