CVE-2021-28165 The Eclipse Foundation CVE debrief

Who should care

Healthcare organizations using Philips Vue PACS for medical imaging, particularly those with versions prior to 12.2.8.410. Hospital IT security teams responsible for medical device network segmentation and availability of critical imaging systems.

Technical summary

The vulnerability exists in Philips Vue PACS versions below 12.2.8.410. Attackers on the adjacent network can trigger CPU and memory exhaustion through high-volume request flooding or large data submissions. The attack requires no authentication or user interaction. Successful exploitation results in application unavailability but does not compromise patient data confidentiality or integrity. The CVSS 3.1 score of 6.5 (Medium) reflects the adjacent network attack vector and high availability impact with no confidentiality or integrity effects.

Defensive priority

medium

Recommended defensive actions

• Upgrade Philips Vue PACS to version 12.2.8.410 or later, released October 2023
• Configure Vue PACS environment per Philips document D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter
• For managed services customers, contact local Philips sales representative or submit request via Philips Informatics Support portal for release scheduling
• Ensure hospital private network segmentation with firewalls and VPNs to limit attacker access
• Monitor for unusual resource consumption patterns on Vue PACS servers

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSMA-24-200-01, published 2024-07-18 and updated 2024-11-21. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms adjacent network attack vector with high availability impact. Philips remediation guidance specifies version 12.2.8.410 as the fix.

Official resources