Cyber Security News

Sante PACS Server Flaws Allow Remote Attackers to Download Arbitrary Files

Recently, several critical vulnerabilities were discovered in Sante PACS Server version 4.1.0, leaving it susceptible to severe security breaches.

These vulnerabilities, identified by CVE-2025-2263CVE-2025-2264CVE-2025-2265, and CVE-2025-2284, expose the server to potential attacks that can lead to unauthorized access, data breaches, and denial-of-service (DoS) conditions.

In this article, we will delve into each of these vulnerabilities, provide examples of affected code, and present a summary of the flaws in a table format.

Overview of Vulnerabilities

CVE-2025-2263: EVP_DecryptUpdate Stack-based Buffer Overflow

This vulnerability involves a stack-based buffer overflow in the Sante PACS Server’s use of EVP_DecryptUpdate from OpenSSL.

During the login process to the server, a fixed 0x80-byte stack buffer is used to decrypt the username and password.

An attacker could exploit this by sending a long encrypted username or password, causing a buffer overflow and potentially allowing code execution.

Vulnerable Code:

.text:00000001405CAB25  lea     rdx, [rsp+138h+out] ; VULN: fixed 0x80-byte stack buf ->

.text:00000001405CAB25                          ; stack buf overflow

.text:00000001405CAB2A  mov     rcx, rdi

.text:00000001405CAB2D  call    cs:EVP_DecryptUpdate

CVE-2025-2264: Path Traversal Information Disclosure

This vulnerability allows an unauthenticated remote attacker to download arbitrary files located on the server’s disk.

The embedded web server serves files from a specific directory, but it does not properly validate request paths, enabling path traversal attacks.

An attacker can exploit this by crafting a URL that navigates outside the intended directory structure.

Exploitation Example:

curl --path-as-is -o /tmp/HTTP.db 'http://[target-host]:3000/assets/../../.HTTP/HTTP.db'

CVE-2025-2265: HTTP.db SHA1 Hash Truncation

In this vulnerability, password hashes stored in the server’s SQLite database are truncated if they contain a zero byte, making them vulnerable to collision attacks.

An attacker can exploit this by leveraging the path traversal vulnerability to download the database and then find equivalent passwords for truncated hashes.

Vulnerable Hash Handling:

.text:000000014062DD14 calc_hash_len_to_encode: ; CODE XREF: do_SHA1_hash+27C↓j

.text:000000014062DD14  inc     r8

.text:000000014062DD17  cmp     byte ptr [rax+r8], 0

.text:000000014062DD1C  jnz     short calc_hash_len_to_encode

.text:000000014062DD1E  lea     rdx, [rsp+2198h+SHA1Hash]

.text:000000014062DD23  mov     rcx, rdi

.text:000000014062DD26  call    base64_encode

CVE-2025-2284: Access of Uninitialized Pointer DoS

This denial-of-service vulnerability occurs when the server attempts to extract login credentials from a malformed request.

If there are insufficient lines following the “usrname” field, the server may access an uninitialized pointer, leading to a crash.

Malformed Request PoC:

echo -ne 'GET /usrname HTTP/1.1\r\n\r\n' | nc -q 0 [target-host] 3000

Summary of Vulnerabilities

CVE NumberVulnerability DescriptionAffected Product
CVE-2025-2263EVP_DecryptUpdate Stack-based Buffer OverflowSante PACS Server 4.1.0
CVE-2025-2264Path Traversal Information DisclosureSante PACS Server 4.1.0
CVE-2025-2265HTTP.db SHA1 Hash TruncationSante PACS Server 4.1.0
CVE-2025-2284Access of Uninitialized Pointer DoSSante PACS Server 4.1.0

To protect against these vulnerabilities, users are advised to upgrade their Sante PACS Server to version 4.2.0 or later.

According to the Tenable report, this update will resolve these security issues and enhance the overall security posture of the system.

Users should also consider implementing additional security measures such as network segmentation and regular monitoring to detect potential exploitation attempts.

As with any software vulnerability, prompt action is crucial to ensure the integrity of sensitive data and system availability.

Regular updates and security audits are fundamental practices for maintaining robust cybersecurity defenses.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party JavaScript…

20 minutes ago

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs to…

27 minutes ago

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate payroll…

35 minutes ago

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some reports),…

1 hour ago

71 Fake Websites Impersonating German Retailer to Steal Payment Information

Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce domains…

2 hours ago

New Scan Uncovers 150K Industrial Systems Worldwide Vulnerable to Cyberattacks

A groundbreaking study leveraging advanced application-layer scanning has exposed approximately 150,000 industrial control systems (ICS)…

2 hours ago