Cyber Resilience

CVE-2025-25475

High

Published: 18 February 2025

Published
18 February 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25475 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Offis Dcmtk. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-25475 is a NULL pointer dereference vulnerability (CWE-476) affecting the /libsrc/dcrleccd.cc component in DCMTK v3.6.9+ DEV versions. Published on 2025-02-18, it enables attackers to trigger a Denial of Service (DoS) by processing a crafted DICOM file. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its network accessibility, low complexity, and significant availability impact with no privileges or user interaction required.

Remote, unauthenticated attackers can exploit this vulnerability by supplying a malicious DICOM file to any DCMTK-based application or service that parses such files, such as medical imaging systems. Exploitation leads to an application crash via the NULL pointer dereference, resulting in DoS without affecting confidentiality or integrity.

Mitigation patches are available in DCMTK's repository via commit bffa3e9116abb7038b432443f16b1bd390e80245, accessible through the project's Git and GitHub mirrors. Debian LTS has also addressed the issue in an announcement dated 2025/06. Security practitioners should update affected DCMTK instances and validate DICOM inputs where possible.

EU & UK References

Vulnerability details

A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in DICOM parser enables remote unauthenticated application crash/DoS via crafted file, directly matching application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62600Same product: Debian Debian Linux
CVE-2025-62599Same product: Debian Debian Linux
CVE-2024-58054Same product: Debian Debian Linux
CVE-2024-56374Same product: Debian Debian Linux
CVE-2025-62602Same product: Debian Debian Linux
CVE-2026-23490Same product: Debian Debian Linux
CVE-2025-26699Same product: Debian Debian Linux
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476

Affected Assets

offis
dcmtk
3.6.9
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the NULL pointer dereference flaw in DCMTK via available patches to prevent DoS exploitation.

prevent

Requires validation of DICOM file inputs to block crafted files that trigger the NULL pointer dereference crash.

prevent

Ensures secure error handling to avoid application crashes from NULL pointer dereferences without compromising availability.

References