{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24489", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-19T16:39:28.811Z", "datePublished": "2025-08-21T19:44:18.551Z", "dateUpdated": "2025-08-21T20:09:44.406Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "INFINITT PACS System Manager", "vendor": "INFINITT Healthcare", "versions": [{"lessThanOrEqual": "3.0.11.5 BN9", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via a specific service, which could lead to system compromise."}], "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via a specific service, which could lead to system compromise."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:44:18.551Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul><li>Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">[email protected]</a>)\n\n<br></li></ul>"}], "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n * Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. ([email protected])"}], "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "title": "INFINITT Healthcare INFINITT PACS Unrestricted Upload of File with Dangerous Type", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T20:09:30.758583Z", "id": "CVE-2025-24489", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T20:09:44.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T20:09:30.758583Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T20:09:36.475Z"}}], "cna": {"title": "INFINITT Healthcare INFINITT PACS Unrestricted Upload of File with Dangerous Type", "source": {"advisory": "ICSMA-25-100-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "INFINITT Healthcare", "product": "INFINITT PACS System Manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.11.5 BN9"}, {"status": "unaffected", "version": "3.0.11.5 BN10"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "INFINITT recommends the following mitigations:\n\n\nThe latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.\n\n\nINFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.\n\n\n * Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.\n\n * Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.\n * Contact Information: Customers requiring additional support should contact INFINITT Security Team. ([email protected])", "supportingMedia": [{"type": "text/html", "value": "<p>INFINITT recommends the following mitigations:</p>\n<p>The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.</p>\n<p>INFINITT ULite is NOT affected by these vulnerabilities. However, if \nINFINITT ULite is operating as an integrated system with INFINITT PACS, \npatching is required to secure the PACS environment.</p>\n<ul><li>Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.</li>\n<li>Network Security Recommendations: Minimize network exposure for PACS\n servers, ensuring they are not directly accessible from the internet.</li><li>Contact Information: Customers requiring additional support should contact INFINITT Security Team. (<a target=\"_blank\" rel=\"nofollow\">[email protected]</a>)\n\n<br></li></ul>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via a specific service, which could lead to system compromise.", "supportingMedia": [{"type": "text/html", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via a specific service, which could lead to system compromise.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-21T19:44:18.551Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24489", "state": "PUBLISHED", "dateUpdated": "2025-08-21T20:09:44.406Z", "dateReserved": "2025-03-19T16:39:28.811Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-08-21T19:44:18.551Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could exploit this vulnerability by uploading arbitrary \nfiles via a specific service, which could lead to system compromise."}, {"lang": "es", "value": "Un atacante podr\u00eda aprovechar esta vulnerabilidad cargando archivos arbitrarios a trav\u00e9s de un servicio espec\u00edfico, lo que podr\u00eda comprometer el sistema."}], "id": "CVE-2025-24489", "lastModified": "2025-08-22T18:08:51.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "[email protected]", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-21T20:15:31.900", "references": [{"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "[email protected]", "type": "Primary"}]}

{}