CVE-2025-27720 Pixmeo CVE debrief

Who should care

Organizations using Pixmeo OsiriX MD, especially teams that administer or rely on the OsiriX MD Web Portal and any environment where portal traffic may traverse untrusted or shared networks.

Technical summary

CISA’s advisory states that the OsiriX MD Web Portal transmits credential information without encryption. In practice, that means credentials may be exposed to passive network interception, allowing an attacker to steal them if they can observe the traffic.

Defensive priority

High. The issue directly affects credential confidentiality and can enable account compromise if traffic is exposed. Because the advisory describes cleartext credential transmission, remediation should be prioritized for any deployment that uses the affected portal.

Recommended defensive actions

• Install the latest version of OsiriX MD as recommended by Pixmeo.
• If you need assistance or cannot confirm the updated version, contact Pixmeo directly using the vendor support channel.
• Review Web Portal access paths and restrict use to trusted networks until the updated version is in place.
• Treat any credentials used through the portal as potentially exposed if unencrypted transmission was observed, and rotate them where appropriate.
• Verify that portal traffic is protected by encryption and that no configuration, proxy, or deployment path reintroduces cleartext credential handling.

Evidence notes

Based on the supplied CISA CSAF advisory (ICSMA-25-128-01) for CVE-2025-27720, published 2025-05-08. The advisory description and notes state that the OsiriX MD Web Portal sends credential information without encryption and that an attacker could steal credentials. The remediation section directs users to download the latest version of OsiriX MD and to contact Pixmeo for support. The supplied data does not list a KEV entry.

Official resources