Recently, several critical vulnerabilities were discovered in Sante PACS Server version 4.1.0, leaving it susceptible to severe security breaches.
These vulnerabilities, identified by CVE-2025-2263, CVE-2025-2264, CVE-2025-2265, and CVE-2025-2284, expose the server to potential attacks that can lead to unauthorized access, data breaches, and denial-of-service (DoS) conditions.
In this article, we will delve into each of these vulnerabilities, provide examples of affected code, and present a summary of the flaws in a table format.
.png
)
Overview of Vulnerabilities
CVE-2025-2263: EVP_DecryptUpdate Stack-based Buffer Overflow
This vulnerability involves a stack-based buffer overflow in the Sante PACS Server’s use of EVP_DecryptUpdate from OpenSSL.
During the login process to the server, a fixed 0x80-byte stack buffer is used to decrypt the username and password.
An attacker could exploit this by sending a long encrypted username or password, causing a buffer overflow and potentially allowing code execution.
Vulnerable Code:
.text:00000001405CAB25 lea rdx, [rsp+138h+out] ; VULN: fixed 0x80-byte stack buf ->
.text:00000001405CAB25 ; stack buf overflow
.text:00000001405CAB2A mov rcx, rdi
.text:00000001405CAB2D call cs:EVP_DecryptUpdateCVE-2025-2264: Path Traversal Information Disclosure
This vulnerability allows an unauthenticated remote attacker to download arbitrary files located on the server’s disk.
The embedded web server serves files from a specific directory, but it does not properly validate request paths, enabling path traversal attacks.
An attacker can exploit this by crafting a URL that navigates outside the intended directory structure.
Exploitation Example:
curl --path-as-is -o /tmp/HTTP.db 'http://[target-host]:3000/assets/../../.HTTP/HTTP.db'CVE-2025-2265: HTTP.db SHA1 Hash Truncation
In this vulnerability, password hashes stored in the server’s SQLite database are truncated if they contain a zero byte, making them vulnerable to collision attacks.
An attacker can exploit this by leveraging the path traversal vulnerability to download the database and then find equivalent passwords for truncated hashes.
Vulnerable Hash Handling:
.text:000000014062DD14 calc_hash_len_to_encode: ; CODE XREF: do_SHA1_hash+27C↓j
.text:000000014062DD14 inc r8
.text:000000014062DD17 cmp byte ptr [rax+r8], 0
.text:000000014062DD1C jnz short calc_hash_len_to_encode
.text:000000014062DD1E lea rdx, [rsp+2198h+SHA1Hash]
.text:000000014062DD23 mov rcx, rdi
.text:000000014062DD26 call base64_encodeCVE-2025-2284: Access of Uninitialized Pointer DoS
This denial-of-service vulnerability occurs when the server attempts to extract login credentials from a malformed request.
If there are insufficient lines following the “usrname” field, the server may access an uninitialized pointer, leading to a crash.
Malformed Request PoC:
echo -ne 'GET /usrname HTTP/1.1\r\n\r\n' | nc -q 0 [target-host] 3000Summary of Vulnerabilities
| CVE Number | Vulnerability Description | Affected Product |
| CVE-2025-2263 | EVP_DecryptUpdate Stack-based Buffer Overflow | Sante PACS Server 4.1.0 |
| CVE-2025-2264 | Path Traversal Information Disclosure | Sante PACS Server 4.1.0 |
| CVE-2025-2265 | HTTP.db SHA1 Hash Truncation | Sante PACS Server 4.1.0 |
| CVE-2025-2284 | Access of Uninitialized Pointer DoS | Sante PACS Server 4.1.0 |
To protect against these vulnerabilities, users are advised to upgrade their Sante PACS Server to version 4.2.0 or later.
According to the Tenable report, this update will resolve these security issues and enhance the overall security posture of the system.
Users should also consider implementing additional security measures such as network segmentation and regular monitoring to detect potential exploitation attempts.
As with any software vulnerability, prompt action is crucial to ensure the integrity of sensitive data and system availability.
Regular updates and security audits are fundamental practices for maintaining robust cybersecurity defenses.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
