cbcvebase.
CVE-2025-0896
published 2025-02-13

CVE-2025-0896: Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.38%
81.8th percentile
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianorthanc< orthanc 1.5.8+dfsg-1 (bookworm)orthanc 1.5.8+dfsg-1 (bookworm)
orthanc-serverorthanc< 1.5.81.5.8
orthanc-serverorthanc>= 0 < 1.5.8+dfsg-11.5.8+dfsg-1
orthanc-serverorthanc>= 0 < 1.5.8+dfsg-11.5.8+dfsg-1
orthanc-serverorthanc>= 0 < 1.5.8+dfsg-11.5.8+dfsg-1
orthanc-serverorthanc>= 0 < 1.5.8+dfsg-11.5.8+dfsg-1
orthancorthanc_server< 1.5.81.5.8

Detection & IOCsextracted from sources · hover to see the quote

  • Orthanc server instances with remote access enabled but no basic authentication configured (versions prior to 1.5.8) are exposed to unauthorized access; detect by probing for unauthenticated HTTP responses on Orthanc's default ports (8042 for REST API, 4242 for DICOM)
  • ·Orthanc prior to 1.5.8 does not enable basic authentication by default when remote access is enabled, leaving the server open to unauthenticated access. Ensure 'AuthenticationEnabled' is explicitly set to true in the Orthanc configuration when remote access is enabled.
  • ·Fixed in Orthanc package version 1.5.8+dfsg-1 across Debian releases (bookworm, bullseye, forky, sid, trixie). Upgrade to this version or later to remediate.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.2CRITICAL
vendor_debian9.2CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.