Cyber Posture

CVE-2025-25475

High

Published: 18 February 2025

Published
18 February 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 41.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25475 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Offis Dcmtk. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the NULL pointer dereference flaw in DCMTK via available patches to prevent DoS exploitation.

SI-10 Information Input Validation good match
prevent

Requires validation of DICOM file inputs to block crafted files that trigger the NULL pointer dereference crash.

SI-11 Error Handling good match
prevent

Ensures secure error handling to avoid application crashes from NULL pointer dereferences without compromising availability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

NULL pointer dereference in DICOM parser enables remote unauthenticated application crash/DoS via crafted file, directly matching application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file.

Deeper analysisAI

CVE-2025-25475 is a NULL pointer dereference vulnerability (CWE-476) affecting the /libsrc/dcrleccd.cc component in DCMTK v3.6.9+ DEV versions. Published on 2025-02-18, it enables attackers to trigger a Denial of Service (DoS) by processing a crafted DICOM file. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its network accessibility, low complexity, and significant availability impact with no privileges or user interaction required.

Remote, unauthenticated attackers can exploit this vulnerability by supplying a malicious DICOM file to any DCMTK-based application or service that parses such files, such as medical imaging systems. Exploitation leads to an application crash via the NULL pointer dereference, resulting in DoS without affecting confidentiality or integrity.

Mitigation patches are available in DCMTK's repository via commit bffa3e9116abb7038b432443f16b1bd390e80245, accessible through the project's Git and GitHub mirrors. Debian LTS has also addressed the issue in an announcement dated 2025/06. Security practitioners should update affected DCMTK instances and validate DICOM inputs where possible.

Details

CWE(s)
CWE-476

Affected Products

offis
dcmtk
3.6.9
debian
debian linux
11.0

CVEs Like This One

CVE-2024-58054Same product: Debian Debian Linux
CVE-2025-62600Same product: Debian Debian Linux
CVE-2026-23490Same product: Debian Debian Linux
CVE-2024-56374Same product: Debian Debian Linux
CVE-2025-62602Same product: Debian Debian Linux
CVE-2025-62599Same product: Debian Debian Linux
CVE-2025-26699Same product: Debian Debian Linux
CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476

References