Sante PACS Server Flaws Allow Remote Attackers to Download Arbitrary Files

Recently, several critical vulnerabilities were discovered in Sante PACS Server version 4.1.0, leaving it susceptible to severe security breaches.

These vulnerabilities, identified by CVE-2025-2263, CVE-2025-2264, CVE-2025-2265, and CVE-2025-2284, expose the server to potential attacks that can lead to unauthorized access, data breaches, and denial-of-service (DoS) conditions.

In this article, we will delve into each of these vulnerabilities, provide examples of affected code, and present a summary of the flaws in a table format.

Overview of Vulnerabilities

CVE-2025-2263: EVP_DecryptUpdate Stack-based Buffer Overflow

This vulnerability involves a stack-based buffer overflow in the Sante PACS Server’s use of EVP_DecryptUpdate from OpenSSL.

During the login process to the server, a fixed 0x80-byte stack buffer is used to decrypt the username and password.

An attacker could exploit this by sending a long encrypted username or password, causing a buffer overflow and potentially allowing code execution.

Vulnerable Code:

.text:00000001405CAB25  lea     rdx, [rsp+138h+out] ; VULN: fixed 0x80-byte stack buf ->

.text:00000001405CAB25                          ; stack buf overflow

.text:00000001405CAB2A  mov     rcx, rdi

.text:00000001405CAB2D  call    cs:EVP_DecryptUpdate

CVE-2025-2264: Path Traversal Information Disclosure

This vulnerability allows an unauthenticated remote attacker to download arbitrary files located on the server’s disk.

The embedded web server serves files from a specific directory, but it does not properly validate request paths, enabling path traversal attacks.

An attacker can exploit this by crafting a URL that navigates outside the intended directory structure.

Exploitation Example:

curl --path-as-is -o /tmp/HTTP.db 'http://[target-host]:3000/assets/../../.HTTP/HTTP.db'

CVE-2025-2265: HTTP.db SHA1 Hash Truncation

In this vulnerability, password hashes stored in the server’s SQLite database are truncated if they contain a zero byte, making them vulnerable to collision attacks.

An attacker can exploit this by leveraging the path traversal vulnerability to download the database and then find equivalent passwords for truncated hashes.

Vulnerable Hash Handling:

.text:000000014062DD14 calc_hash_len_to_encode: ; CODE XREF: do_SHA1_hash+27C↓j

.text:000000014062DD14  inc     r8

.text:000000014062DD17  cmp     byte ptr [rax+r8], 0

.text:000000014062DD1C  jnz     short calc_hash_len_to_encode

.text:000000014062DD1E  lea     rdx, [rsp+2198h+SHA1Hash]

.text:000000014062DD23  mov     rcx, rdi

.text:000000014062DD26  call    base64_encode

CVE-2025-2284: Access of Uninitialized Pointer DoS

This denial-of-service vulnerability occurs when the server attempts to extract login credentials from a malformed request.

If there are insufficient lines following the “usrname” field, the server may access an uninitialized pointer, leading to a crash.

Malformed Request PoC:

echo -ne 'GET /usrname HTTP/1.1\r\n\r\n' | nc -q 0 [target-host] 3000

Summary of Vulnerabilities

To protect against these vulnerabilities, users are advised to upgrade their Sante PACS Server to version 4.2.0 or later.

According to the Tenable report, this update will resolve these security issues and enhance the overall security posture of the system.

Users should also consider implementing additional security measures such as network segmentation and regular monitoring to detect potential exploitation attempts.

As with any software vulnerability, prompt action is crucial to ensure the integrity of sensitive data and system availability.

Regular updates and security audits are fundamental practices for maintaining robust cybersecurity defenses.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free