PatchSiren cyber security CVE debrief
CVE-2023-40704 Philips CVE debrief
Philips Vue PACS versions prior to 12.2.8.410 do not enforce unique and complex password creation during installation, allowing continued use of default credentials. An attacker with adjacent network access and high privileges who obtains or guesses the default password could gain database access, with potential impacts to system availability and data integrity. The vulnerability was published on July 18, 2024, and modified on November 21, 2024, when Philips removed other vulnerabilities from the advisory following further analysis showing they did not affect the device or had no security impact. Philips assesses this specific issue as low risk for exploitability and recommends no required action, though customers may request database password updates. Managed services customers may receive new releases subject to resource availability and country-specific regulations.
- Vendor
- Philips
- Product
- Vue PACS
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-18
- Original CVE updated
- 2024-11-21
- Advisory published
- 2024-07-18
- Advisory updated
- 2024-11-21
Who should care
Healthcare delivery organizations operating Philips Vue PACS installations, particularly those with managed services deployments; biomedical engineering and clinical engineering teams responsible for medical imaging system security; healthcare CISOs and risk management personnel overseeing medical device cybersecurity programs.
Technical summary
The Vue PACS installation process does not mandate unique, complex passwords, permitting continued use of vendor default credentials. Successful exploitation requires adjacent network access and high privileges, with compromise enabling database access that threatens system availability and data integrity.
Defensive priority
medium
Recommended defensive actions
- Contact your local Philips sales representative or submit a request through the Philips Informatics Support portal to inquire about new release eligibility for managed services installations.
- Request database password updates from Philips if desired, though no action is required per vendor risk assessment.
- Review and implement CISA ICS recommended practices for defense-in-depth strategies applicable to medical imaging systems.
- Monitor the Philips Product Security portal for additional advisory updates.
Evidence notes
Source: CISA CSAF advisory ICSMA-24-200-01. CVSS 3.1 vector: AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Affected product: Philips Vue PACS <12.2.8.410.
Official resources
-
CVE-2023-40704 CVE record
CVE.org
-
CVE-2023-40704 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSMA-24-200-01 on July 18, 2024, with Update A released November 21, 2024.