Pixmeo patches multiple flaws in OsiriX MD medical imaging software, one critical
Take action: If you are using Pixmeo OsiriX MD make sure its isolated from the internet and accessible only from trusted network, and start patching OsiriX MD. If remote access is necessary, use a Virtual Private Network (VPN). Mae sure also to implement physical controls to restrict access to authorized individuals only.
Learn More
Pixmeo is reporting multiple security vulnerabilities in its OsiriX MD medical imaging software, including a critical severity flaw. Successful exploitation of these vulnerabilities could allow attackers to steal sensitive credentials or cause memory corruption resulting in denial-of-service conditions. Given that OsiriX MD is widely used in healthcare environments for medical imaging, these vulnerabilities could potentially impact patient care operations if exploited.
- CVE-2025-27720 (CVSS score 9.3) - Cleartext Transmission of Sensitive Information that allows attackers to steal credentials as the OsiriX MD Web Portal sends credential information without encryption.
- CVE-2025-27578 (CVSS score 8.7) - Use After Free that enables attackers to upload a crafted DICOM file and cause memory corruption leading to a denial-of-service condition.
- CVE-2025-31946 (CVSS score 6.9) - Local Use After Free that allows attackers to locally import a crafted DICOM file resulting in memory corruption or a system crash.
The vulnerabilities affect OsiriX MD version 14.0.1 (Build 2024-02-28) and all prior versions.
Pixmeo recommends users download and install the latest version of OsiriX MD immediately. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
