CVE-2025-54156 Overview
CVE-2025-54156 affects the Sante PACS Server Web Portal, a medical imaging server used in healthcare environments. The web portal transmits credential information without encryption, exposing usernames and passwords to network-based interception. The flaw maps to [CWE-319] Cleartext Transmission of Sensitive Information and [CWE-522] Insufficiently Protected Credentials. CISA published a medical advisory (ICSMA-25-224-01) covering this issue. An attacker positioned on the network path between a client and the server can capture authentication material and reuse it to access protected medical imaging data.
Critical Impact
Network-adjacent attackers can intercept plaintext credentials transmitted by the Sante PACS Server Web Portal, gaining unauthorized access to patient imaging data and PACS administrative functions.
Affected Products
- Santesoft Sante PACS Server (Web Portal component)
- Deployments exposing the web portal over unencrypted HTTP
- Healthcare environments running vulnerable Sante PACS Server versions identified in ICSMA-25-224-01
Discovery Timeline
- 2025-08-18 - CVE-2025-54156 published to the National Vulnerability Database
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-54156
Vulnerability Analysis
The Sante PACS Server Web Portal handles authentication for users accessing Digital Imaging and Communications in Medicine (DICOM) studies and server administration. The portal transmits credential material over an unencrypted channel during login and subsequent authenticated requests. Any device on the network path can observe these credentials in cleartext using passive packet capture.
The defect falls into two related categories. [CWE-319] describes cleartext transmission of sensitive information across a communication channel. [CWE-522] describes credentials stored or transmitted without sufficient cryptographic protection. Together they indicate the portal lacks Transport Layer Security (TLS) enforcement on credential-bearing traffic.
Picture Archiving and Communication Systems hold protected health information. Captured credentials grant attackers access to patient studies, imaging metadata, and server configuration. Reused credentials may also unlock other systems in environments where staff share passwords across applications.
Root Cause
The root cause is the absence of mandatory encryption on the web portal's authentication flow. The portal accepts and processes credentials over plaintext HTTP rather than enforcing HTTPS with a valid certificate and modern cipher suites.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond a legitimate user submitting credentials. An attacker conducting Address Resolution Protocol (ARP) spoofing, operating a rogue Wi-Fi access point, or controlling an upstream network device can observe the cleartext credentials. The attacker then replays them against the portal to authenticate as the victim. Refer to the CISA Medical Advisory ICSMA-25-224-01 for technical details and affected version ranges.
Detection Methods for CVE-2025-54156
Indicators of Compromise
- Authentication events from unfamiliar source IP addresses or geolocations against the Sante PACS Server Web Portal
- Plaintext HTTP traffic on the PACS web portal port containing Authorization headers or form fields with credential parameters
- Repeated successful logins for a single account from multiple endpoints in short time windows
Detection Strategies
- Inspect network traffic to the PACS server for HTTP (port 80) sessions carrying login form data or basic authentication headers
- Correlate PACS authentication logs with workstation logon events to identify sessions originating from unexpected hosts
- Alert on ARP table changes or duplicate MAC addresses on VLANs hosting medical imaging systems
Monitoring Recommendations
- Capture and review PACS web portal access logs for anomalous user agents, source addresses, and off-hours activity
- Monitor for clients connecting to the portal over HTTP rather than HTTPS once TLS is enforced
- Track DICOM query and retrieve operations following authentication events to detect bulk imaging data exfiltration
How to Mitigate CVE-2025-54156
Immediate Actions Required
- Apply the vendor update referenced in CISA Medical Advisory ICSMA-25-224-01 as soon as it is available for your deployment
- Restrict network access to the Sante PACS Server Web Portal using firewall rules that allow only authorized clinical subnets
- Force a password reset for all PACS portal accounts that have authenticated over unencrypted channels
- Place the PACS server behind a reverse proxy that terminates TLS with a valid certificate until the vendor patch is deployed
Patch Information
Consult the Santesoft vendor advisory linked from CISA Medical Advisory ICSMA-25-224-01 for the fixed version of Sante PACS Server. Confirm the patched build enforces HTTPS for all portal endpoints and disables plaintext HTTP listeners.
Workarounds
- Deploy a TLS-terminating reverse proxy such as nginx or HAProxy in front of the portal and block direct access to the cleartext port
- Segment the PACS server on a dedicated VLAN with access control lists limiting traffic to clinical workstations and imaging modalities
- Require virtual private network (VPN) access for any remote staff connecting to the portal
- Disable browser autofill and credential storage for the PACS portal on shared clinical workstations
# Example nginx reverse proxy enforcing TLS in front of the Sante PACS Web Portal
server {
listen 443 ssl http2;
server_name pacs.example.local;
ssl_certificate /etc/ssl/certs/pacs.crt;
ssl_certificate_key /etc/ssl/private/pacs.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
}
# Redirect any plaintext requests to HTTPS
server {
listen 80;
server_name pacs.example.local;
return 301 https://$host$request_uri;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
