25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vulnerabilities Identified in Pixmeo OsiriX MD DICOM Viewer

Posted By on May 9, 2025

Three vulnerabilities have been identified in Pixmeo OsiriX MD, the most widely used DICOM medical image viewing software in the world, including a critical remotely exploitable flaw that could result in credential theft.

The most serious vulnerability is due to credentials being transmitted in cleartext by the Osirix MD Web Portal. The lack of encryption for the transmitted credentials means they could be intercepted by a threat actor.  The vulnerability is tracked as CVE-2025-27720 and has a CVSS v4 severity score of 9.3 (CVSS v3.1: 7.4).

A high-severity use-after-free vulnerability has been identified that could be exploited by an attacker by uploading a specially crafted DICOM file. Successful exploitation of the vulnerability would cause memory corruption, resulting in a denial-of-service condition. The vulnerability is tracked as CVE-2025-27578 and has a CVSS v4 base score of 8.7 (CVSS v3.1: 7.5).

The third flaw is a medium-severity vulnerability that could be exploited by a threat actor to cause memory corruption or a system crash. The use-after-free vulnerability could be exploited by an attacker by locally importing a specially crafted DICOM file. The vulnerability is tracked as CVE-2025-31946 and has been assigned a CVSS v4 base score of 6.9 (CVSS v.3.1 6.2).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities were identified by Chizuru Toyama of TXOne Networks and Canaan Kao of TXOne Networks, who reported them to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).  All three of the vulnerabilities affect OsiriX MD: Versions 14.0.1 (Build 2024-02-28) and prior versions, and have been fixed in the latest version of the software. While there have been no known cases of exploitation of the vulnerabilities in the wild, users should ensure they update all instances of Pixmeo OsiriX MD to the latest version to prevent exploitation.

To prevent the exploitation of vulnerabilities, Pixmeo OsiriX MD should not be accessible from the Internet and located behind a firewall and separated from business networks. If remote access is necessary, a secure method of access should be used, such as a Virtual Private Network (VPN), and physical controls should be in place to restrict access to authorized individuals only.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist