CVE-2025-0896 Orthanc CVE debrief

Who should care

Administrators and operators of Orthanc Server deployments, especially any instance with remote access enabled or reachable from non-trusted networks.

Technical summary

The issue is a default-configuration weakness: Orthanc Server prior to 1.5.8 does not enable basic authentication automatically when remote access is enabled. The supplied CSAF advisory states this can allow unauthorized access. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network reachability with no privileges or user interaction required and high impact if exploited.

Defensive priority

Critical. Because the vulnerable service can be reachable over the network and the advisory indicates no authentication by default in remote-access configurations, remediation should be treated as urgent.

Recommended defensive actions

• Update Orthanc Server to the latest available version, or at minimum to 1.5.8 or later per the advisory.
• If remote access must remain enabled, set "AuthenticationEnabled": true in the Orthanc configuration file.
• Review all Orthanc deployments for exposed remote access and verify authentication is actually enforced.
• Restrict network exposure to trusted management networks while remediation is being applied.
• Validate access controls after updating by confirming unauthenticated requests are rejected.
• Monitor the vendor download and advisory page for any follow-up guidance.

Evidence notes

Source corpus indicates CISA advisory ICSMA-25-037-02, published 2025-02-06, with the same CVE description and remediation guidance. The advisory states: "Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled." The CSAF metadata also provides the CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources