cbcvebase.
CVE-2025-2263
published 2025-03-13

CVE-2025-2263: During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.6th percentile
During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is called to decrypt the username and password. A fixed 0x80-byte stack-based buffer is passed to the function as the output buffer. A stack-based buffer overflow exists if a long encrypted username or password is supplied by an unauthenticated remote attacker.

Affected

1 ranges
VendorProductVersion rangeFixed in
santesoftsante_pacs_server

Detection & IOCsextracted from sources · hover to see the quote

port3000
pathC:\Sante Server DB\.OHIFViewer\
filenameHTTP.db
url/assets/../../.HTTP/HTTP.db
processSante PACS Server.exe
commandcurl --path-as-is -o /tmp/HTTP.db 'http://[target-host]:3000/assets/../../.HTTP/HTTP.db'
  • Detect stack-based buffer overflow attempts against Sante PACS Server login endpoint: monitor for abnormally long encrypted username or password fields submitted to the web login on port 3000, which would overflow a fixed 0x80-byte stack buffer in EVP_DecryptUpdate.
  • Detect path traversal exploitation (CVE-2025-2264) by monitoring HTTP requests to port 3000 containing '/assets/../' or sequences of '../' in the URL path, particularly targeting HTTP.db or other files outside the .OHIFViewer directory.
  • Monitor for connection resets or access violations on the Sante PACS Server process following login attempts, which may indicate exploitation of the stack buffer overflow (crash signature: rdx=0x4141414141414129, stack filled with 0x41 bytes).
  • Alert on unauthenticated HTTP requests to port 3000 that attempt to retrieve HTTP.db (the SQLite credentials database), as this enables offline hash collision attacks against truncated SHA1 password hashes.
  • During PoC execution, the attacker first fetches the login page to extract a session_id, encryption IV, and encryption key before sending the overflow payload — monitor for rapid sequential unauthenticated GET requests to the login page followed by a login POST with oversized credentials.
  • ·The vulnerable version is specifically Sante PACS Server 4.1.0 (file version 4.1.0.0); the overflow occurs in the decrypt_data function at a fixed 0x80-byte stack buffer passed to EVP_DecryptUpdate.
  • ·The path traversal (CVE-2025-2264) is constrained to the disk drive where the application is installed; the sanity check for /assets/ or valid extensions can be bypassed with ../ sequences since the check does not normalize the path before appending to the base directory.
  • ·The SHA1 hash truncation vulnerability (CVE-2025-2265) means stored password hashes in HTTP.db may be shorter than a full 20-byte SHA1 hash if the hash contains a zero byte, making hash collision attacks more feasible for affected accounts.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.