CVE-2025-54156 Santesoft CVE debrief

Who should care

Healthcare IT teams, PACS administrators, security teams, and operators running Sante PACS Server Web Portal instances, especially where credentials are entered or managed through the portal.

Technical summary

CISA’s CSAF advisory for ICSMA-25-224-01 states that the Sante PACS Server Web Portal sends credential information without encryption. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, which indicates a network-reachable issue with no privileges or user interaction required, and potential high impact to confidentiality and integrity. The vendor remediation listed in the advisory is to update Sante PACS Server to Version 4.2.3 or later.

Defensive priority

High. Prioritize remediation promptly because the issue concerns credential transmission and is rated HIGH in the supplied advisory data.

Recommended defensive actions

• Update Sante PACS Server to version 4.2.3 or later, as recommended by Santesoft.
• Confirm the Web Portal is using encrypted transport for credential-related traffic.
• Restrict access to the portal to trusted users and networks until the upgrade is complete.
• Review authentication logs and reset affected credentials if there is any indication they may have been exposed.
• Monitor the advisory references for any updated vendor or CISA guidance.

Evidence notes

Primary evidence comes from the CISA CSAF advisory for ICSMA-25-224-01 / CVE-2025-54156, which explicitly states: "The Sante PACS Server Web Portal sends credential information without encryption." The same advisory includes the vendor remediation to update PACS Server to Version 4.2.3 or later and provides the CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The supplied timeline shows initial publication and modification on 2025-08-12.

Official resources