{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27714", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-19T16:39:28.817Z", "datePublished": "2025-08-21T19:42:59.699Z", "dateUpdated": "2025-08-21T20:08:59.493Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "INFINITT PACS System Manager", "vendor": "INFINITT Healthcare", "versions": [{"lessThanOrEqual": "3.0.11.5 BN9", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via the a specific endpoint, leading to unauthorized remote code \nexecution or system compromise."}], "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via the a specific endpoint, leading to unauthorized remote code \nexecution or system compromise."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:42:59.699Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul><li>Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">cybersecurity@infinitt.com</a>)\n\n<br></li></ul>"}], "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n * Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)"}], "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "title": "INFINITT Healthcare INFINITT PACS Unrestricted Upload of File with Dangerous Type", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T20:08:49.089078Z", "id": "CVE-2025-27714", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T20:08:59.493Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-21T20:08:49.089078Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T20:08:55.108Z"}}], "cna": {"title": "INFINITT Healthcare INFINITT PACS Unrestricted Upload of File with Dangerous Type", "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "INFINITT Healthcare", "product": "INFINITT PACS System Manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.11.5 BN9"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n * Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)", "supportingMedia": [{"type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul><li>Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">cybersecurity@infinitt.com</a>)\n\n<br></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via the a specific endpoint, leading to unauthorized remote code \nexecution or system compromise.", "supportingMedia": [{"type": "text/html", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via the a specific endpoint, leading to unauthorized remote code \nexecution or system compromise.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:42:59.699Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27714", "state": "PUBLISHED", "dateUpdated": "2025-08-21T20:08:59.493Z", "dateReserved": "2025-03-19T16:39:28.817Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-08-21T19:42:59.699Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via the a specific endpoint, leading to unauthorized remote code \nexecution or system compromise."}, {"lang": "es", "value": "Un atacante podr\u00eda aprovechar esta vulnerabilidad cargando archivos arbitrarios a trav\u00e9s de un endpoint espec\u00edfico, lo que provocar\u00eda la ejecuci\u00f3n remota no autorizada de c\u00f3digo o el compromiso del sistema."}], "id": "CVE-2025-27714", "lastModified": "2025-08-22T18:08:51.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-08-21T20:15:32.367", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{}