A critical vulnerability potentially affecting Orthanc servers can pose a serious risk to medical data and healthcare operations, according to a researcher. 

The US cybersecurity agency CISA last week published an ICS medical advisory to inform organizations about CVE-2025-0896, a critical authentication issue discovered in Orthanc, an open source and lightweight DICOM server for medical imaging. The product is used worldwide in the healthcare and public health sector.

CISA revealed that Orthanc server versions prior to 1.5.8 can allow a remote attacker to gain access to the system because basic authentication is not active by default when remote access is enabled.

“Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information, modify records, or cause a denial-of-service condition,” CISA warned.

Souvik Kandar, lead researcher at IoT/OT security firm MicroSec, one of the researchers credited in CISA’s advisory for this vulnerability, told SecurityWeek that CVE-2025-0896 can be exploited remotely from the internet, and he has seen 615 instances exposed to the web.

“By leveraging this vulnerability, an attacker could manipulate patient data within the application, delete critical X-ray images, and potentially cause life-threatening consequences for patients. This poses a severe risk to healthcare operations and patient safety,” Kandar explained. 

CISA said it’s not aware of any attacks exploiting this vulnerability.

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

Orthanc developers urge users to upgrade to the latest version and check their configuration to ensure that authentication is enabled if remote access is allowed. Organizations should also ensure that they have defined Orthanc server users and that these users have strong passwords. Additional information for securing Orthanc servers is available in the documentation made available by Orthanc. 

Contacted by SecurityWeek, an Orthanc developer provided some important clarifications on why the vulnerability exists, when it was actually patched, and the actions that users should take:

“[Orthanc’s] lightweight design allows anyone to spin up an Orthanc server quickly on his own PC to start playing with DICOM files. For this purpose, no authentication is enabled by default on the Rest API but, to keep the system secure, the Rest API is accessible only from the localhost. The remote access must be enabled explicitly in a configuration file.

Up to version 1.5.7, enabling the remote access was not automatically enabling the authentication. This was fixed in 1.5.8 that was released in October 2019, but no CVE was issued at that time so this CVE was published now to trigger new interest on this issue.

As always, security is not only a matter of software but mainly a matter for people configuring the software so, even as of today with the latest 1.12.6 version, it is still possible to enable remote access and disable authentication because it makes perfect sense in some architectures were Orthanc is protected by other systems upfront.

Furthermore, even if you have upgraded Orthanc regularly, if you have been maintaining a configuration file for many years, there are chances that you have never updated the relevant configurations and your recent Orthanc might still be exposed.”

Related: Cyber Insights 2025: OT Security

Related: Researcher Says ABB Building Control Products Affected by 1,000 Vulnerabilities