CVE-2025-2284
Published: 13 March 2025
Summary
CVE-2025-2284 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).
Deeper analysis
A denial-of-service vulnerability exists in the GetWebLoginCredentials function within Sante PACS Server.exe. The flaw is tracked as CVE-2025-2284 and carries a CVSS 3.1 base score of 7.5, reflecting network-accessible attack vectors that require no authentication or user interaction. It is associated with CWE-824, indicating an access-of-uninitialized-pointer condition that can be triggered remotely.
An unauthenticated attacker can send crafted requests over the network to the affected function, causing the server process to crash and producing a high impact on availability while leaving confidentiality and integrity untouched. The published EPSS score remains flat at 0.0680 with no material increase since disclosure.
The sole reference points to a Tenable research advisory (TRA-2025-08) that documents the issue; no further mitigation details are supplied in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6387
Vulnerability details
A denial-of-service vulnerability exists in the "GetWebLoginCredentials" function in "Sante PACS Server.exe".
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated DoS via exploitation of an uninitialized pointer in a server application, directly enabling T1499.004 (Application or System Exploitation) for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the uninitialized pointer flaw in GetWebLoginCredentials by requiring timely application of patches or mitigations for the specific CVE.
Implements denial-of-service protections to block or limit exploitation attempts that crash the Sante PACS Server.exe via network-accessible unauthenticated requests.
Enforces memory protections such as ASLR and DEP to prevent successful exploitation of the CWE-824 uninitialized pointer dereference leading to DoS.