CVE-2025-0896: Orthanc Server Missing Authentication for Critical Function

9.2 CVSS

Description

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

Classification

CVE ID: CVE-2025-0896

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.2

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor: Orthanc

Product: Orthanc server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.98% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02

Timeline

2025-02-06 14:45:27 UTC
All CISA Advisories

Orthanc Server
2025-02-14 00:32:31 UTC
CVE

Orthanc Server Missing Authentication for Critical Function