Belgian healthcare technology company Orthanc reports critical vulnerability in their server software
Take action: If your organization is using Orthanc server, make sure it's isolated and accessible only from trusted networks. Then plan a priority patch to fix this issue, or at least change the configuration to enable authentication.
Learn More
Orthanc, a Belgium-based healthcare technology company, is reporting a critical security vulnerability in their server software that could potentially expose sensitive medical information.
The vulnerability is tracked as CVE-2025-0896 (CVSS score 9.8) - Missing Authentication for Critical Function which allows unauthorized access when remote access is enabled. The vulnerability stems from a default configuration issue where basic authentication is not enabled by default when remote access is activated.
This security flaw affects all versions of the Orthanc server prior to version 1.5.8, potentially exposing healthcare organizations to unauthorized access by malicious actors. This vulnerability affects healthcare organizations worldwide that use the Orthanc server for managing medical imaging data.
Orthanc has released version 1.5.8 to address this vulnerability and recommends that users either update to the latest version or manually enable HTTP authentication by setting "AuthenticationEnabled": true in the server's configuration file.
The vulnerability was independently reported by two security researchers. As of the initial publication date (February 6, 2025), no known public exploitation of this vulnerability has been reported to CISA.
