CVE-2025-0896
published 2025-02-13CVE-2025-0896: Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.38%
81.8th percentile
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | orthanc | < orthanc 1.5.8+dfsg-1 (bookworm) | orthanc 1.5.8+dfsg-1 (bookworm) |
| orthanc-server | orthanc | < 1.5.8 | 1.5.8 |
| orthanc-server | orthanc | >= 0 < 1.5.8+dfsg-1 | 1.5.8+dfsg-1 |
| orthanc-server | orthanc | >= 0 < 1.5.8+dfsg-1 | 1.5.8+dfsg-1 |
| orthanc-server | orthanc | >= 0 < 1.5.8+dfsg-1 | 1.5.8+dfsg-1 |
| orthanc-server | orthanc | >= 0 < 1.5.8+dfsg-1 | 1.5.8+dfsg-1 |
| orthanc | orthanc_server | < 1.5.8 | 1.5.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Orthanc server instances with remote access enabled but no basic authentication configured (versions prior to 1.5.8) are exposed to unauthorized access; detect by probing for unauthenticated HTTP responses on Orthanc's default ports (8042 for REST API, 4242 for DICOM)
- ·Orthanc prior to 1.5.8 does not enable basic authentication by default when remote access is enabled, leaving the server open to unauthenticated access. Ensure 'AuthenticationEnabled' is explicitly set to true in the Orthanc configuration when remote access is enabled. ↗
- ·Fixed in Orthanc package version 1.5.8+dfsg-1 across Debian releases (bookworm, bullseye, forky, sid, trixie). Upgrade to this version or later to remediate. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.2CRITICAL
vendor_debian9.2CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-0896: orthanc - Orthanc server prior to version 1.5.8 does not enable basic authentication by de...
vendor_debian·2025·CVSS 9.2
CVE-2025-0896 [CRITICAL] CVE-2025-0896: orthanc - Orthanc server prior to version 1.5.8 does not enable basic authentication by de...
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
Scope: local
bookworm: resolved (fixed in 1.5.8+dfsg-1)
bullseye: resolved (fixed in 1.5.8+dfsg-1)
forky: resolved (fixed in 1.5.8+dfsg-1)
sid: resolved (fixed in 1.5.8+dfsg-1)
trixie: resolved (fixed in 1.5.8+dfsg-1)
GHSA
GHSA-q8wv-5h5r-52rp: Orthanc server prior to version 1
ghsa_unreviewed·2025-02-13
CVE-2025-0896 [CRITICAL] CWE-306 GHSA-q8wv-5h5r-52rp: Orthanc server prior to version 1
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
OSV
CVE-2025-0896: Orthanc server prior to version 1
osv·2025-02-13·CVSS 9.2
CVE-2025-0896 [CRITICAL] CVE-2025-0896: Orthanc server prior to version 1
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-13
Published