Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an advisory highlighting critical vulnerabilities in INFINITT Healthcare's Picture Archiving and Communication System (PACS). These vulnerabilities pose significant risks to healthcare organizations worldwide, potentially compromising patient data and system integrity.

Background

INFINITT PACS is a widely adopted platform that enables healthcare providers to store, retrieve, and share medical imaging data. Its integration into healthcare IT infrastructures underscores the importance of robust cybersecurity measures to protect sensitive patient information.

Identified Vulnerabilities

CISA's advisory, released on April 10, 2025, details several vulnerabilities affecting INFINITT PACS System Manager versions up to and including 3.0.11.5 BN9. The key vulnerabilities include:

  1. Unrestricted Upload of File with Dangerous Type (CVE-2025-27714):
  • Description: This vulnerability allows attackers to upload arbitrary files through specific endpoints, potentially leading to unauthorized remote code execution or system compromise.
  • Severity: CVSS v4 score of 8.7, indicating a high level of risk.
  1. Unrestricted Upload of File with Dangerous Type (CVE-2025-24489):
  • Description: Similar to the previous vulnerability, this flaw enables attackers to upload arbitrary files via a specific service, which could lead to system compromise.
  • Severity: CVSS v4 score of 8.7.
  1. Exposure of Sensitive System Information to an Unauthorized Control Sphere (CVE-2025-27721):
  • Description: Unauthorized users can access the system without proper authorization, potentially leading to unauthorized access to system resources.
  • Severity: CVSS v4 score of 8.7.

Implications and Impact

The exploitation of these vulnerabilities can have severe consequences for healthcare organizations, including:

  • Unauthorized Access to Patient Data: Compromised systems may lead to exposure of sensitive health information, violating patient privacy and regulatory requirements.
  • Operational Disruptions: Malicious code execution can disrupt medical imaging services, affecting diagnostic processes and patient care.
  • Reputational Damage: Data breaches can erode trust in healthcare providers, leading to a loss of patient confidence and potential legal ramifications.

Technical Details

The vulnerabilities are characterized by:

  • Remote Exploitability: Attackers can exploit these flaws from remote locations without physical access to the healthcare facility.
  • Low Attack Complexity: Exploitation does not require advanced technical skills, making it accessible to a broader range of threat actors.
  • Public Exploits Available: The existence of publicly available exploits increases the likelihood of widespread attacks.

Mitigation Strategies

To address these vulnerabilities, healthcare organizations should:

  • Apply Security Patches: Upgrade to INFINITT PACS System Manager version 3.0.11.5 BN10 or later, which includes security patches for the identified vulnerabilities.
  • Restrict File Uploads: Configure System Manager settings to limit file uploads to trusted users and expected file types.
  • Enhance Authentication Mechanisms: Implement strong password policies and monitor access logs for unauthorized access attempts.
  • Network Security Measures: Place PACS servers behind firewalls and isolate them from business networks to minimize exposure.

Conclusion

The recent CISA advisory underscores the critical need for healthcare organizations to proactively address cybersecurity vulnerabilities within their IT infrastructures. By implementing recommended mitigation strategies, healthcare providers can safeguard patient data, maintain operational continuity, and uphold trust in their services.