CVE-2018-25124 in PacsOne Server
Summary
by MITRE • 11/11/2025
PacsOne Server version 6.6.2 (prior versions are likely affected) contains a directory traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker to read arbitrary files via the 'nocache.php' endpoint with a crafted 'path' parameter. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability identified as CVE-2018-25124 represents a critical directory traversal flaw in PacsOne Server version 6.6.2 and potentially earlier releases. This security weakness resides within the web-based DICOM viewer component of the medical imaging system, which is commonly deployed in healthcare environments for storing and retrieving medical images. The vulnerability manifests through the 'nocache.php' endpoint, which fails to properly validate or sanitize user-supplied input parameters. This allows an attacker to manipulate the 'path' parameter in a manner that bypasses normal file access controls and retrieves arbitrary files from the server's file system. The attack vector is particularly concerning because it requires no authentication credentials, making it accessible to any remote attacker who can reach the affected system. The vulnerability was confirmed through monitoring activities conducted by the Shadowserver Foundation, which documented exploitation attempts occurring on February 2, 2025, UTC, demonstrating that this flaw was actively being targeted in the wild.
The technical implementation of this directory traversal vulnerability stems from inadequate input validation within the DICOM viewer's file handling mechanism. When a user requests a file through the web interface, the 'nocache.php' script processes the 'path' parameter without proper sanitization or access control checks. This allows attackers to craft malicious input sequences such as '../' or similar path manipulation techniques that cause the application to traverse directories beyond its intended scope. The vulnerability directly maps to CWE-22 - Improper Limiting of a Pathname to a Restricted Directory, which is classified as a common weakness in software development practices. The flaw essentially allows an attacker to bypass the application's intended file access restrictions and potentially read sensitive files including configuration data, database credentials, application source code, or other system files that should remain protected. The implications extend beyond simple information disclosure as these files may contain sensitive patient data, system credentials, or proprietary information that could be exploited for further attacks.
The operational impact of this vulnerability is severe for healthcare organizations utilizing PacsOne Server deployments. Medical imaging systems are often considered critical infrastructure components that store vast amounts of sensitive patient information, making them attractive targets for cybercriminals. Successful exploitation could result in unauthorized access to patient records, medical images, and potentially expose the entire network infrastructure to further compromise. The remote unauthenticated nature of the attack means that adversaries can exploit this vulnerability from anywhere on the internet without requiring prior access to the network or valid credentials. This creates a significant risk for healthcare organizations that may have these systems exposed to the public internet without proper network segmentation or access controls. The vulnerability also poses risks to compliance with healthcare regulations such as HIPAA, as unauthorized access to protected health information constitutes a serious violation. Organizations may face regulatory penalties, legal consequences, and reputational damage if patient data is compromised through such attacks.
Organizations affected by this vulnerability should implement immediate mitigations to protect their systems from exploitation. The primary recommendation is to apply the vendor-provided patches or updates that address the directory traversal flaw in the web-based DICOM viewer component. Until patches are available or applied, network administrators should implement restrictive firewall rules that limit access to the affected endpoints to trusted networks only. The 'nocache.php' endpoint should be secured through proper input validation and sanitization mechanisms that prevent path traversal sequences from being processed. Additionally, organizations should conduct thorough security assessments of their medical imaging systems to identify other potential vulnerabilities and ensure proper network segmentation between critical systems and public-facing interfaces. Implementing web application firewalls and intrusion detection systems can provide additional layers of protection against exploitation attempts. Organizations should also review their access controls and implement principle of least privilege for all system components, ensuring that only authorized personnel have access to sensitive medical data and system configuration files. The vulnerability highlights the importance of maintaining up-to-date security practices and regularly reviewing the security posture of critical healthcare infrastructure components.