CVE-2025-27578 Pixmeo CVE debrief

Who should care

Hospitals, clinics, and imaging teams that use Pixmeo OsiriX MD; endpoint and application security teams responsible for medical imaging software; and IT staff managing DICOM upload workflows or systems exposed to untrusted file intake.

Technical summary

The source advisory describes a use-after-free vulnerability in OsiriX MD. An attacker who can upload a crafted DICOM file may trigger memory corruption and crash the application, causing denial of service. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable attack with no privileges or user interaction required and high availability impact.

Defensive priority

High

Recommended defensive actions

• Install the latest version of OsiriX MD from Pixmeo as soon as possible.
• Inventory all OsiriX MD deployments and confirm which systems are exposed to DICOM file uploads or other untrusted input paths.
• Limit access to DICOM upload and ingestion workflows to trusted users and trusted network segments where feasible.
• Monitor for crashes, memory faults, or repeated service restarts in affected imaging workflows.
• Contact Pixmeo directly if you need vendor support or clarification about remediation.

Evidence notes

Primary facts come from the CISA CSAF advisory for CVE-2025-27578 and its associated references. The advisory states the flaw is a use-after-free that can be triggered by a crafted DICOM file, causing memory corruption and denial of service. The advisory also provides the vendor remediation to download the latest version of OsiriX MD. The CVE and advisory were published and last modified on 2025-05-08; no KEV entry was provided in the supplied corpus.

Official resources