CVE-2025-0896 Overview
CVE-2025-0896 is a critical missing authentication vulnerability affecting Orthanc server prior to version 1.5.8. The vulnerability exists because the Orthanc server does not enable basic authentication by default when remote access is enabled, potentially allowing unauthorized access to medical imaging data and DICOM systems by an attacker.
Critical Impact
Unauthorized attackers can gain complete access to medical imaging servers without authentication, potentially exposing sensitive patient health information and allowing manipulation of medical data.
Affected Products
- Orthanc-server Orthanc versions prior to 1.5.8
- All Orthanc deployments with remote access enabled and default configuration
Discovery Timeline
- February 13, 2025 - CVE CVE-2025-0896 published to NVD
- July 30, 2025 - Last updated in NVD database
Technical Details for CVE-2025-0896
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). Orthanc is an open-source, lightweight DICOM server used in medical imaging environments for storing, managing, and sharing radiological images. The default configuration fails to enforce authentication mechanisms when the server is configured for remote access, creating a significant security gap.
In healthcare environments, DICOM servers like Orthanc handle sensitive Protected Health Information (PHI) including medical images, patient identifiers, and diagnostic data. The lack of default authentication means that any network-accessible Orthanc instance running a vulnerable version may expose this critical data to unauthorized parties.
CISA has issued a Medical Advisory (ICSMA-25-037-02) for this vulnerability, highlighting its significance in healthcare and medical device security contexts.
Root Cause
The root cause of this vulnerability lies in the insecure default configuration of Orthanc server. When remote access functionality is enabled, the server does not automatically require authentication, operating under an implicit trust model. This design decision prioritizes ease of deployment over security, assuming administrators will manually configure authentication—an assumption that often proves incorrect in real-world deployments.
Attack Vector
The vulnerability is exploitable over the network without requiring any authentication or user interaction. An attacker with network access to a vulnerable Orthanc server can directly connect and interact with the DICOM server interface, potentially:
- Accessing and exfiltrating patient medical images and associated metadata
- Modifying or deleting medical imaging records
- Uploading malicious DICOM files to the server
- Using the compromised server as a pivot point for further network intrusion
The attack is straightforward—an attacker simply needs to identify exposed Orthanc instances (potentially through internet scanning tools like Shodan) and connect directly without credentials.
Detection Methods for CVE-2025-0896
Indicators of Compromise
- Unexpected connections to Orthanc server ports (default HTTP port 8042, DICOM port 4242)
- Access logs showing requests from unknown or external IP addresses
- Unusual data transfer volumes from the DICOM server
- Unauthorized queries or modifications to patient imaging studies
Detection Strategies
- Implement network monitoring to detect unauthorized access attempts to Orthanc server endpoints
- Review Orthanc access logs for connections without authentication headers
- Deploy intrusion detection rules to identify DICOM protocol traffic from untrusted sources
- Conduct periodic configuration audits to verify authentication is properly enabled
Monitoring Recommendations
- Enable verbose logging in Orthanc configuration to capture all access attempts
- Monitor network traffic to ports 8042 (HTTP API) and 4242 (DICOM) for anomalous patterns
- Set up alerts for access from IP addresses outside the trusted healthcare network
- Implement SIEM rules to correlate Orthanc access events with known threat indicators
How to Mitigate CVE-2025-0896
Immediate Actions Required
- Upgrade Orthanc server to version 1.5.8 or later immediately
- Enable authentication in the Orthanc configuration file if running a vulnerable version
- Restrict network access to Orthanc servers using firewall rules to trusted IP ranges only
- Conduct an audit of existing Orthanc deployments to identify any with remote access enabled
Patch Information
The vulnerability is addressed in Orthanc version 1.5.8 and later releases. Organizations should upgrade to the latest stable version available. For detailed information, refer to the CISA Medical Advisory ICSMA-25-037-02.
Workarounds
- Configure AuthenticationEnabled to true in the Orthanc configuration file
- Implement network segmentation to isolate DICOM servers from untrusted networks
- Deploy a reverse proxy with authentication in front of Orthanc instances
- Disable remote access entirely if not operationally required
# Orthanc configuration example to enable authentication
# Edit the Configuration.json file and add/modify these settings:
# "AuthenticationEnabled": true,
# "RegisteredUsers": {
# "admin": "strong-password-here"
# }
# Restart Orthanc service after configuration changes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
