CVE-2025-2263
published 2025-03-13CVE-2025-2263: During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.6th percentile
During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| santesoft | sante_pacs_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect stack-based buffer overflow attempts against Sante PACS Server login endpoint: monitor for abnormally long encrypted username or password fields submitted to the web login on port 3000, which would overflow a fixed 0x80-byte stack buffer in EVP_DecryptUpdate. ↗
- →Detect path traversal exploitation (CVE-2025-2264) by monitoring HTTP requests to port 3000 containing '/assets/../' or sequences of '../' in the URL path, particularly targeting HTTP.db or other files outside the .OHIFViewer directory. ↗
- →Monitor for connection resets or access violations on the Sante PACS Server process following login attempts, which may indicate exploitation of the stack buffer overflow (crash signature: rdx=0x4141414141414129, stack filled with 0x41 bytes). ↗
- →Alert on unauthenticated HTTP requests to port 3000 that attempt to retrieve HTTP.db (the SQLite credentials database), as this enables offline hash collision attacks against truncated SHA1 password hashes. ↗
- →During PoC execution, the attacker first fetches the login page to extract a session_id, encryption IV, and encryption key before sending the overflow payload — monitor for rapid sequential unauthenticated GET requests to the login page followed by a login POST with oversized credentials. ↗
- ·The vulnerable version is specifically Sante PACS Server 4.1.0 (file version 4.1.0.0); the overflow occurs in the decrypt_data function at a fixed 0x80-byte stack buffer passed to EVP_DecryptUpdate. ↗
- ·The path traversal (CVE-2025-2264) is constrained to the disk drive where the application is installed; the sanity check for /assets/ or valid extensions can be bypassed with ../ sequences since the check does not normalize the path before appending to the base directory. ↗
- ·The SHA1 hash truncation vulnerability (CVE-2025-2265) means stored password hashes in HTTP.db may be shorter than a full 20-byte SHA1 hash if the hash contains a zero byte, making hash collision attacks more feasible for affected accounts. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-37r4-ppph-4wwq: During login to the web server in "Sante PACS Server
ghsa_unreviewed·2025-03-13
CVE-2025-2263 [CRITICAL] CWE-121 GHSA-37r4-ppph-4wwq: During login to the web server in "Sante PACS Server
During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.
Citrix
Citrix Security Bulletin CTX136623
vendor_citrix·CVSS 5.0
CVE-2013-2263 [MEDIUM] Citrix Security Bulletin CTX136623
Citrix Security Bulletin CTX136623
CVE References: CVE-2013-2263, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
2025-03-13
Published