CVE-2025-0896

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*

History

30 Jul 2025, 18:11

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02 -~~	() https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02 - Third Party Advisory, US Government Resource
Summary		(es) Los servidores Orthanc anteriores a la versión 1.5.8 no habilitan la autenticación básica de forma predeterminada cuando está habilitado el acceso remoto. Esto podría provocar un acceso no autorizado por parte de un atacante.
First Time		Orthanc-server Orthanc-server orthanc
CPE		cpe:2.3:a:orthanc-server:orthanc::::::::

13 Feb 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-13 02:15

Updated : 2025-07-30 18:11

NVD link : CVE-2025-0896

Mitre link : CVE-2025-0896

CVE.ORG link : CVE-2025-0896

JSON object : View

Products Affected

orthanc-server

orthanc

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-0896", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-13T02:15:29.470", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker."}, {"lang": "es", "value": "Los servidores Orthanc anteriores a la versi\u00f3n 1.5.8 no habilitan la autenticaci\u00f3n b\u00e1sica de forma predeterminada cuando est\u00e1 habilitado el acceso remoto. Esto podr\u00eda provocar un acceso no autorizado por parte de un atacante."}], "lastModified": "2025-07-30T18:11:27.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:orthanc-server:orthanc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84C95858-D895-40D6-AFC2-357278EA92C3", "versionEndExcluding": "1.5.8"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}