Pixmeo OsiriX MD DICOM Viewer Found to Have Three Vulnerabilities

May 11, 2025HIPAA News0

Pixmeo OsiriX MD is the most popular DICOM medical image viewer in the world. Recently, the company identified three vulnerabilities in its software, including a critical vulnerability that can be remotely exploited to steal credentials.

The critical vulnerability makes it possible for the transmission of credentials in cleartext through the Osirix MD Web Portal. Without HIPAA encryption of the sent credentials, a threat actor could intercept the information. The vulnerability is monitored as CVE-2025-27720 with an assigned CVSS v4 severity score of 9.3 and a CVSS v3.1 score of 7.4.

The second vulnerability discovered is regarded as a high-severity use-after-free vulnerability. An attacker can exploit this vulnerability by uploading a specially created DICOM file. If successfully exploited, the vulnerability would corrupt the memory, causing a denial-of-service issue. The vulnerability is monitored as CVE-2025-27578 with an assigned CVSS v4 base score of 8.7 and a CVSS v3.1 score of 7.5.

The third vulnerability is ranked as a medium-severity vulnerability. A threat actor could exploit this vulnerability to corrupt the memory or cause a system crash. Then, the attacker can exploit the use-after-free vulnerability by locally adding a specially created DICOM file. The vulnerability is monitored as CVE-2025-31946 and has an assigned CVSS v4 base score of 6.9 and a CVSS v3.1 score of 6.2.

Chizuru Toyama and Canaan Kao of TXOne Networks discovered the vulnerabilities and submitted a report to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The three vulnerabilities impact OsiriX MD Versions 14.0.1 (Build 2024-02-28) and earlier versions. Pixmeo has already fixed the newest version of the DICOM viewer software. Although there are no reported instances of the vulnerabilities being exploited in the wild, consumers should make sure they update all Pixmeo OsiriX MD software to the most recent version to avoid exploitation.

To avoid vulnerability exploitation, users should not access Pixmeo OsiriX MD from the Internet. The software should be placed behind a firewall and away from business networks. In case remote access is required, a safe method of access, for instance, through a Virtual Private Network (VPN), must be employed. Physical controls must be set up to limit access to approved persons only.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.