CVE-2025-2264 Overview
CVE-2025-2264 is a path traversal information disclosure vulnerability in Santesoft Sante PACS Server. The flaw resides in Sante PACS Server.exe and allows an unauthenticated remote attacker to download arbitrary files from the disk drive where the application is installed. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Tenable Research disclosed the vulnerability through advisory TRA-2025-08. Sante PACS Server is widely used in medical imaging environments to store and transmit DICOM files, making exposed deployments attractive targets for adversaries seeking patient data or configuration files.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from the host drive, exposing patient imaging data, configuration files, and credentials.
Affected Products
- Santesoft Sante PACS Server 4.1.0
- Windows deployments running Sante PACS Server.exe
- Healthcare environments using Sante PACS for DICOM storage and retrieval
Discovery Timeline
- 2025-03-13 - CVE-2025-2264 published to NVD with Tenable advisory TRA-2025-08
- 2025-04-03 - Last updated in NVD database
Technical Details for CVE-2025-2264
Vulnerability Analysis
The vulnerability allows attackers to bypass directory restrictions and retrieve files outside the intended web-accessible directory of the PACS server. Sante PACS Server exposes HTTP services for managing and viewing DICOM medical imaging data. The application fails to properly canonicalize and validate user-supplied path components in file retrieval requests.
An unauthenticated attacker who can reach the PACS service over the network can issue crafted requests containing traversal sequences such as ../ to escape the document root. The server processes these requests and returns the contents of any file readable by the service account on the installation drive.
Successful exploitation discloses sensitive data including DICOM patient files protected under HIPAA, server configuration files, database credentials, and Windows system files. The vulnerability does not affect integrity or availability, only confidentiality.
Root Cause
The root cause is improper input validation in the file-serving routine of Sante PACS Server.exe. The server concatenates attacker-controlled path segments with a base directory without normalizing parent-directory references or enforcing a path prefix check after canonicalization, classic [CWE-22] behavior.
Attack Vector
Exploitation requires only network access to the PACS HTTP listener and no authentication or user interaction. An attacker sends an HTTP request containing encoded or raw ../ sequences within a file parameter to traverse upward from the application's serving directory and request arbitrary files by absolute or relative path. The Tenable advisory documents the request format and proof-of-concept details.
Detection Methods for CVE-2025-2264
Indicators of Compromise
- HTTP requests to the Sante PACS Server containing ../, ..\, %2e%2e%2f, or %2e%2e/ traversal sequences in URL paths or query parameters.
- Access log entries showing successful 200 responses for file paths outside the standard PACS storage directory.
- Outbound transfers of unusually large or numerous files from the PACS host to untrusted IP addresses.
Detection Strategies
- Inspect web server and reverse proxy logs for path traversal patterns targeting the PACS service port.
- Deploy IDS/IPS signatures matching known traversal payloads against traffic destined for Sante PACS hosts.
- Hunt for process activity from Sante PACS Server.exe that reads files outside its installation and DICOM storage directories.
Monitoring Recommendations
- Forward Sante PACS access logs and Windows file-access audit events to a centralized SIEM for correlation.
- Alert on unauthenticated requests that return non-DICOM file types such as .ini, .config, .log, or executables.
- Baseline normal client request patterns and flag deviations in requested file paths.
How to Mitigate CVE-2025-2264
Immediate Actions Required
- Upgrade Sante PACS Server to the latest version published by Santesoft that addresses CVE-2025-2264.
- Restrict network exposure of the PACS service to trusted clinical VLANs and authenticated VPN users only.
- Audit the host filesystem for sensitive files reachable from the installation drive and relocate or restrict them.
Patch Information
Refer to the Tenable Research Advisory TRA-2025-08 for vendor remediation guidance. Administrators should consult Santesoft directly for the patched build that supersedes version 4.1.0 and apply it across all PACS instances.
Workarounds
- Place Sante PACS Server behind a reverse proxy or web application firewall that normalizes URLs and blocks traversal sequences.
- Run the PACS service under a least-privilege Windows account with read access limited to the DICOM storage directory.
- Apply host-based firewall rules to allow inbound connections only from authorized imaging modalities and workstations.
# Example WAF rule (ModSecurity) to block path traversal against PACS
SecRule REQUEST_URI "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
"id:1002264,phase:1,deny,status:403,log,\
msg:'CVE-2025-2264 Sante PACS path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
