CVE-2025-2263

During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.tenable.com/security/research/tra-2025-08	Exploit Third Party Advisory
https://www.tenable.com/security/research/tra-2025-08	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:santesoft:sante_pacs_server:4.1.0:*:*:*:*:*:*:*

History

03 Apr 2025, 18:20

Type	Values Removed	Values Added
First Time		Santesoft Santesoft sante Pacs Server
CPE		cpe:2.3:a:santesoft:sante_pacs_server:4.1.0:::::::*
CWE		CWE-787
References	~~() https://www.tenable.com/security/research/tra-2025-08 -~~	() https://www.tenable.com/security/research/tra-2025-08 - Exploit, Third Party Advisory

14 Mar 2025, 14:15

Type	Values Removed	Values Added
Summary		(es) Al iniciar sesión en el servidor web en "Sante PACS Server.exe", se llama a la función OpenSSL EVP_DecryptUpdate para descifrar el nombre de usuario y la contraseña. Se pasa a la función un búfer fijo de pila de 0x80 bytes como búfer de salida. Se produce un desbordamiento de búfer de pila si un atacante remoto no autenticado proporciona un nombre de usuario o una contraseña cifrados largos.
References	~~() https://www.tenable.com/security/research/tra-2025-08 -~~	() https://www.tenable.com/security/research/tra-2025-08 -

13 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-13 17:15

Updated : 2025-04-03 18:20

NVD link : CVE-2025-2263

Mitre link : CVE-2025-2263

CVE.ORG link : CVE-2025-2263

JSON object : View

Products Affected

santesoft

sante_pacs_server

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2025-2263", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vulnreport@tenable.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-03-13T17:15:38.617", "references": [{"url": "https://www.tenable.com/security/research/tra-2025-08", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnreport@tenable.com"}, {"url": "https://www.tenable.com/security/research/tra-2025-08", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "vulnreport@tenable.com", "description": [{"lang": "en", "value": "CWE-121"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "During login to the web server in \"Sante PACS Server.exe\", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker."}, {"lang": "es", "value": "Al iniciar sesi\u00f3n en el servidor web en \"Sante PACS Server.exe\", se llama a la funci\u00f3n OpenSSL EVP_DecryptUpdate para descifrar el nombre de usuario y la contrase\u00f1a. Se pasa a la funci\u00f3n un b\u00fafer fijo de pila de 0x80 bytes como b\u00fafer de salida. Se produce un desbordamiento de b\u00fafer de pila si un atacante remoto no autenticado proporciona un nombre de usuario o una contrase\u00f1a cifrados largos."}], "lastModified": "2025-04-03T18:20:38.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:santesoft:sante_pacs_server:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94D12F49-C02A-4B31-B215-387260205DB3"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}