CVE-2018-25142 in NovaPACS Diagnostics Viewer
Summary
by MITRE • 12/24/2025
NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/25/2025
The vulnerability CVE-2018-25142 represents a critical unauthenticated XML External Entity injection flaw in NovaRad NovaPACS Diagnostics Viewer version 8.5.19.75. This security weakness resides within the application's XML preference import functionality, which fails to properly validate or sanitize incoming XML data during the import process. The vulnerability stems from the application's improper handling of XML entities, particularly when processing user-supplied XML configuration files that contain DTD parameter entities. Attackers can exploit this flaw by crafting malicious XML files that reference external resources through parameter entities, enabling them to perform out-of-band data exfiltration attacks. The vulnerability specifically affects the XML preference import settings functionality, which is commonly used by medical imaging professionals to configure diagnostic viewer preferences and settings.
The technical exploitation of this XXE vulnerability follows standard attack patterns that align with CWE-611, which categorizes insecure direct object references and XML external entity processing issues. The flaw allows attackers to leverage parameter entities within DTD declarations to create malicious XML documents that can access local system resources through out-of-band channels. This typically involves constructing XML payloads that reference external servers or local files, enabling attackers to retrieve sensitive data such as system configuration files, user credentials, or other confidential information stored on the target system. The attack vector does not require authentication, making it particularly dangerous as it can be exploited by anyone who can submit XML preference files to the vulnerable application. The vulnerability demonstrates characteristics consistent with ATT&CK technique T1566.001, which covers the exploitation of XML external entity injection vulnerabilities in applications.
The operational impact of this vulnerability within medical imaging environments is severe, particularly given the sensitive nature of diagnostic data and patient information handled by NovaPACS systems. An attacker who successfully exploits this vulnerability could gain unauthorized access to critical medical imaging configurations, potentially leading to data breaches that compromise patient privacy and violate healthcare regulations such as HIPAA. The out-of-band nature of the attack makes detection particularly challenging as it does not rely on traditional response-based methods but instead uses network communication patterns to exfiltrate data. Organizations using NovaPACS Diagnostics Viewer 8.5.19.75 face significant risk of unauthorized data access, system compromise, and potential regulatory penalties. The vulnerability affects not only the confidentiality of medical data but also the integrity and availability of the diagnostic imaging infrastructure, potentially disrupting critical healthcare operations.
Mitigation strategies for CVE-2018-25142 should focus on immediate remediation through official vendor patches and updates to the NovaPACS Diagnostics Viewer application. Organizations should implement strict input validation and sanitization measures for all XML data processing within the application, particularly for preference import functionality. The implementation of XML parsers that disable external entity resolution and DTD processing can effectively prevent XXE attacks. Network-level controls including firewall rules and intrusion detection systems should be configured to monitor for suspicious outbound connections that may indicate data exfiltration attempts. Additionally, organizations should enforce principle of least privilege for the application, limiting its access to only necessary system resources and implementing regular security assessments of medical imaging systems. The vulnerability underscores the importance of secure coding practices and proper XML handling in healthcare applications, aligning with industry standards for medical device security and regulatory compliance requirements.