{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27721", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-19T16:39:28.803Z", "datePublished": "2025-08-21T19:33:03.503Z", "dateUpdated": "2025-08-22T15:50:50.711Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "INFINITT PACS System Manager", "vendor": "INFINITT Healthcare", "versions": [{"lessThanOrEqual": "3.0.11.5 BN9", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unauthorized users can access INFINITT PACS System Manager&nbsp;without proper authorization, \nwhich could lead to unauthorized access to system resources."}], "value": "Unauthorized users can access INFINITT PACS System Manager\u00a0without proper authorization, \nwhich could lead to unauthorized access to system resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:33:03.503Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul>\n<li>For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and \nconfigure the System Manager settings to restrict unauthorized file \nuploads.</li>\n<li>For CVE-2025-27721: Apply the patch, enforce strong password \npolicies, and enable logging to monitor for unauthorized access \nattempts.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">cybersecurity@infinitt.com</a>)\n\n<br></li></ul>"}], "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n\n * For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and \nconfigure the System Manager settings to restrict unauthorized file \nuploads.\n\n * For CVE-2025-27721: Apply the patch, enforce strong password \npolicies, and enable logging to monitor for unauthorized access \nattempts.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)"}], "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "title": "INFINITT Healthcare INFINITT PACS Exposure of Sensitive System Information to an Unauthorized Control Sphere", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-22T15:50:46.203499Z", "id": "CVE-2025-27721", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-22T15:50:50.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-22T15:50:46.203499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T20:07:03.999Z"}}], "cna": {"title": "INFINITT Healthcare INFINITT PACS Exposure of Sensitive System Information to an Unauthorized Control Sphere", "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "INFINITT Healthcare", "product": "INFINITT PACS System Manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.11.5 BN9"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n\n * For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and \nconfigure the System Manager settings to restrict unauthorized file \nuploads.\n\n * For CVE-2025-27721: Apply the patch, enforce strong password \npolicies, and enable logging to monitor for unauthorized access \nattempts.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)", "supportingMedia": [{"type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul>\n<li>For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and \nconfigure the System Manager settings to restrict unauthorized file \nuploads.</li>\n<li>For CVE-2025-27721: Apply the patch, enforce strong password \npolicies, and enable logging to monitor for unauthorized access \nattempts.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">cybersecurity@infinitt.com</a>)\n\n<br></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Unauthorized users can access INFINITT PACS System Manager\u00a0without proper authorization, \nwhich could lead to unauthorized access to system resources.", "supportingMedia": [{"type": "text/html", "value": "Unauthorized users can access INFINITT PACS System Manager&nbsp;without proper authorization, \nwhich could lead to unauthorized access to system resources.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:33:03.503Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27721", "state": "PUBLISHED", "dateUpdated": "2025-08-22T15:50:50.711Z", "dateReserved": "2025-03-19T16:39:28.803Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-08-21T19:33:03.503Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthorized users can access INFINITT PACS System Manager\u00a0without proper authorization, \nwhich could lead to unauthorized access to system resources."}, {"lang": "es", "value": "Los usuarios no autorizados pueden acceder a INFINITT PACS System Manager sin la debida autorizaci\u00f3n, lo que podr\u00eda generar un acceso no autorizado a los recursos del sistema."}], "id": "CVE-2025-27721", "lastModified": "2025-08-22T18:08:51.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-08-21T20:15:32.573", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}