25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CISA Issues Alert About Multiple Philips Vue PACS Vulnerabilities

Posted By on Jul 19, 2024

More than a dozen vulnerabilities have been identified in the Philips Vue PACS image management and communication system, including critical vulnerabilities that can be remotely exploited in a low-complexity attack. Successful exploitation of the vulnerabilities could allow an unauthenticated individual to remotely execute code, install unauthorized software, eavesdrop, view, or modify data, or negatively impact the confidentiality, integrity, or availability of the system or data.

The 13 vulnerabilities affect all versions prior to 12.2.8.410.

Vue PACS Vulnerabilities

CVE Type CVSS v3.1 CVSS v4
CVE-2017-17485 Deserialization of untrusted data 9.8 9.3
CVE-2020-11113 Deserialization of untrusted data 8.8 7.1
CVE-2020-10673 Deserialization of untrusted data 8.8 8.7
CVE-2023-40159 Exposure of sensitive information to an unauthorized actor 8.2 8.8
CVE-2020-35728 Deserialization of untrusted data 8.1 9.3
CVE-2021-20190 Deserialization of untrusted data 8.1 9.3
CVE-2020-14061 Deserialization of untrusted data 8.1 9.3
CVE-2021-28165 Uncontrolled resource consumption 7.5 8.8
CVE-2020-40704 Use of default credentials 7.1 8.4
CVE-2019-12814 Deserialization of untrusted data 5.9 8.7
CVE-2020-36518 Out of bounds write 5.3 7.1
CVE-2023-40223 Improper privilege management 4.4 4.8
CVE-2023-40539 Weak password requirements 4.4 4.4

Philips has addressed 10 of the vulnerabilities in Vue PACS version 12.2.8.400, which was released in August 2023. The uncontrolled resource consumption vulnerability, CVE-2021-28165, can be addressed by updating to 12.2.8.410, which was released in October 2023, and also configuring the Vue PACS according to the D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide.

The default credentials vulnerability, CVE-2023-40704, and the weak password vulnerability, CVE-2023-40539, should be addressed per the configuration recommended in the 8G7607 – Vue PACS User Guide Rev G.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist