CVE-2025-1002 MicroDicom CVE debrief

Who should care

Organizations using MicroDicom DICOM Viewer and the teams responsible for its patching and update distribution should care, especially where update traffic may traverse shared or less-trusted networks.

Technical summary

The advisory describes a failure to adequately verify the update server certificate during update retrieval. In practical terms, that weakens update-channel integrity and can allow a machine-in-the-middle attack to alter the server response and substitute a malicious update. The supplied CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, which reflects an adjacent-network attack path, required user interaction, and high integrity impact. The published remediation is to upgrade to DICOM Viewer version 2025.1.

Defensive priority

Medium priority; patch promptly for any deployed instance that can reach the update server over non-trusted or shared network paths.

Recommended defensive actions

• Upgrade MicroDicom DICOM Viewer to version 2025.1 as recommended by the vendor.
• Inventory all installed instances and prioritize systems whose update traffic may cross shared, proxied, or otherwise less-trusted networks.
• Apply CISA industrial control system defense-in-depth and recommended-practices guidance to protect software update paths.
• Use trusted software distribution controls and network segmentation to reduce the chance of update traffic interception or tampering.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSMA-25-037-01 published on 2025-02-06 and its linked remediation, which states that MicroDicom DICOM Viewer fails to adequately verify the update server certificate and recommends upgrading to version 2025.1. The supplied CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.

Official resources