CVE-2025-27578 Overview
CVE-2025-27578 is a use after free vulnerability affecting Pixmeo OsiriX MD, a medical imaging software widely used in healthcare environments for viewing and processing DICOM (Digital Imaging and Communications in Medicine) files. The vulnerability allows an attacker to upload a specially crafted DICOM file that triggers memory corruption, potentially leading to a denial-of-service condition. This vulnerability is particularly concerning in medical environments where system availability is critical for patient care.
Critical Impact
Exploitation of this vulnerability can cause memory corruption and denial of service in medical imaging systems, potentially disrupting healthcare operations and diagnostic workflows.
Affected Products
- Pixmeo OsiriX MD (medical imaging software)
- Systems processing DICOM files through OsiriX MD
Discovery Timeline
- 2025-05-08 - CVE-2025-27578 published to NVD
- 2025-05-12 - Last updated in NVD database
Technical Details for CVE-2025-27578
Vulnerability Analysis
This vulnerability falls under CWE-416 (Use After Free), a class of memory corruption vulnerabilities that occur when a program continues to use a pointer after the memory it references has been freed. In the context of OsiriX MD, the vulnerability is triggered during the processing of DICOM files, which are the standard format for medical imaging data.
When OsiriX MD parses a maliciously crafted DICOM file, the application attempts to access memory that has already been deallocated. This results in undefined behavior that can manifest as memory corruption, application crashes, or denial of service. The network-accessible nature of this vulnerability means attackers can potentially exploit it remotely by sending crafted DICOM files to systems running OsiriX MD.
The vulnerability has received attention from CISA through an ICS Medical Advisory (ICSMA-25-128-01), highlighting its relevance to healthcare critical infrastructure.
Root Cause
The root cause of CVE-2025-27578 is improper memory management within OsiriX MD's DICOM file parsing routines. When processing certain malformed or specially crafted DICOM data structures, the application frees memory prematurely but retains a reference (dangling pointer) to that memory region. Subsequent operations that attempt to access this freed memory trigger the use after free condition.
Use after free vulnerabilities typically arise from complex object lifecycle management, where multiple code paths may interact with the same memory regions without proper synchronization or reference counting.
Attack Vector
The attack vector for CVE-2025-27578 is network-based, requiring no authentication or user interaction for exploitation. An attacker can exploit this vulnerability by:
- Crafting a malicious DICOM file with specific data structures designed to trigger the use after free condition
- Uploading or transmitting the crafted file to a system running OsiriX MD
- The vulnerable application processes the file, triggering memory corruption
- The application crashes or becomes unresponsive, causing denial of service
The exploitation does not require the attacker to have prior access to the target system, making it accessible to remote attackers who can deliver DICOM files through network protocols commonly used in medical imaging environments such as DICOM communication protocols or file sharing systems.
Detection Methods for CVE-2025-27578
Indicators of Compromise
- Unexpected application crashes or restarts of OsiriX MD processes
- Memory access violation errors in application logs during DICOM file processing
- Unusual DICOM files with malformed or atypical data structures in imaging workflows
- System stability issues correlated with DICOM file ingestion activities
Detection Strategies
- Monitor OsiriX MD application logs for segmentation faults, access violations, or unexpected termination events
- Implement network-level inspection of DICOM traffic for anomalous file structures
- Deploy endpoint detection solutions capable of identifying memory corruption exploitation attempts
- Establish baseline behavior for OsiriX MD resource utilization and alert on significant deviations
Monitoring Recommendations
- Enable verbose logging for OsiriX MD to capture detailed information about file processing operations
- Implement file integrity monitoring on DICOM storage locations to detect potentially malicious uploads
- Configure alerting for repeated application crashes or service interruptions
- Monitor network traffic to PACS (Picture Archiving and Communication System) infrastructure for unusual patterns
How to Mitigate CVE-2025-27578
Immediate Actions Required
- Consult the CISA ICS Medical Advisory for specific remediation guidance
- Restrict network access to OsiriX MD systems to trusted sources only
- Implement network segmentation to isolate medical imaging systems from general network traffic
- Review and validate all DICOM file sources entering your imaging environment
Patch Information
Organizations should contact Pixmeo directly for patch availability and update guidance. The vendor can be reached through their official contact page. Additional product information is available on the OsiriX MD product page.
Ensure that all instances of OsiriX MD are updated to the latest available version once patches addressing CVE-2025-27578 are released.
Workarounds
- Implement strict input validation and filtering for incoming DICOM files at network boundaries
- Deploy application-level firewalls or proxies capable of inspecting DICOM traffic for malformed content
- Limit DICOM file sources to known, trusted systems and implement authentication for file transfers
- Consider running OsiriX MD in isolated environments with limited network exposure until patches are applied
# Example network segmentation for medical imaging systems
# Restrict access to OsiriX MD systems to authorized medical imaging devices only
# This example demonstrates firewall rules concept - adapt to your specific firewall solution
# Allow DICOM traffic only from trusted PACS sources
iptables -A INPUT -p tcp --dport 104 -s <trusted_pacs_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 104 -j DROP
# Allow DICOM TLS traffic from trusted sources
iptables -A INPUT -p tcp --dport 2762 -s <trusted_pacs_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 2762 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
