cbcvebase.
CVE-2025-2264
published 2025-03-13

CVE-2025-2264: A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.66%
98.4th percentile
A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed.

Affected

3 ranges
VendorProductVersion rangeFixed in
msrccbl2_vim_9.0.0050-2_on_cbl_mariner_2.0
msrccm1_vim_9.0.0050-1_on_cbl_mariner_1.0
santesoftsante_pacs_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[target-host]:3000/assets/../../.HTTP/HTTP.db
path/assets/../../.HTTP/HTTP.db
pathC:\Sante Server DB\.OHIFViewer\
filenameHTTP.db
port3000
commandGET /assets/../../.HTTP/HTTP.db HTTP/1.1
yara
contains_all(body, 'SQLite','TABLE USER','format') AND status_code == 200
  • Detect path traversal attempts targeting the /assets/ prefix followed by ../ sequences in HTTP requests to port 3000 on Sante PACS Server.
  • Flag HTTP responses containing 'SQLite', 'TABLE USER', and 'format' strings together with HTTP 200 status — this indicates successful exfiltration of the HTTP.db credential database.
  • Monitor for unauthenticated GET requests to Sante PACS Server (port 3000) containing '/../' or '%2F..%2F' sequences, especially targeting .HTTP/HTTP.db.
  • Use Shodan favicon hash 1185161484 to identify internet-exposed Sante PACS Server instances for proactive asset discovery.
  • A Metasploit auxiliary module (gather/pacsserver_traversal) exists for this CVE and can be used to test for exploitation attempts in logs.
  • ·The path traversal bypass relies on the /assets/ prefix passing the sanity check — the server only validates that the URL contains '/assets/' or a valid extension (.js, .css), not that the resolved path stays within the OHIFViewer directory.
  • ·File retrieval is limited to the disk drive where the application is installed; arbitrary files on that drive are accessible without authentication.
  • ·The static resource root is C:\Sante Server DB\.OHIFViewer\; traversal sequences escape this directory to reach arbitrary paths on the same drive.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.