Critical cybersecurity vulnerabilities in INFINITT PACS threaten healthcare data and patient safety

In the fast-evolving field of digital healthcare, the imperative to secure medical software and devices has reached a critical level. That urgency is thrown into sharp relief with the recent CISA advisory spotlighting multiple severe vulnerabilities in INFINITT Healthcare’s widely used Picture Archiving and Communication System (PACS). This in-depth feature unpacks the technical details, attack scenarios, industry implications, and offers a critical lens on how the intersection of medical IT, regulatory oversight, and cybersecurity maturity shapes risk for healthcare providers and patients alike.

Unpacking the Latest CISA Advisory: INFINITT PACS Under the Microscope​

Startling the healthcare IT community, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert concerning several vulnerabilities in INFINITT Healthcare’s PACS, a core platform for the storage, retrieval, and sharing of medical imaging. If exploited, these flaws could enable remote attackers to upload malicious files, gain unauthorized access, or compromise sensitive patient and system information within hospital environments.
Let’s break down the essence of the vulnerabilities, the risk calculus for affected organizations, and the broader lessons for medical and IT practitioners navigating the ever-expanding attack surface of interconnected healthcare.

The Thin Margin Between IT and Patient Safety​

Modern healthcare leans heavily on digitization—think MRI results shared across continents in real time, remote surgery planning, and AI-powered diagnostics. PACS sits at the heart of this transformation, serving radiology, cardiology, and nearly every modern specialty. But as this edge of progress has widened, so too has the target available to cyber adversaries.
The consequences of a breach extend far beyond the IT department. Medical images can be altered, diagnoses delayed, and—more alarmingly—ransomware can paralyze entire hospital operations. In healthcare, security lapses quickly become issues of patient safety and trust.

Technical Dissection of the Vulnerabilities​

CISA’s advisory describes three primary CVEs affecting INFINITT PACS System Manager versions 3.0.11.5 BN9 and earlier. Each represents a distinct risk vector, but all share the dangerous property of being exploitable remotely, with low attack complexity—a nightmare scenario for any security team.

CVE-2025-27714: Unrestricted File Upload​

This vulnerability lets attackers upload arbitrary files via a particular system endpoint, potentially paving the way to remote code execution. Malicious actors could implant web shells, deploy ransomware, or launch lateral movement across the medical network.

• CVSS v3.1 Base Score: 6.3 (Medium)
• CVSS v4 Score: 5.3
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None

Both technical scores and practical implications signal a clear path for attackers once an initial foothold is established—an unmitigated file upload path rarely ends with benign outcomes.

CVE-2025-24489: Arbitrary File Upload via Specific Service​

With characteristics and impact similar to CVE-2025-27714, this flaw marks another avenue for unauthorized file uploads. Attackers exploiting this could again traverse the spectrum from system tampering to full compromise.

CVE-2025-27721: Unauthorized System Access​

Most troubling, perhaps, is CVE-2025-27721, which enables attackers—without requiring any privileges—to gain access to system resources, including sensitive patient data and configuration files.

• CVSS v3.1 Base Score: 7.5 (High)
• CVSS v4 Score: 8.7 (High/Critical)
• Attack Vector: Network
• Privileges Required: None

This represents a classic “front door left open” flaw: no credentials required, no need for social engineering—a remotely accessible entry point to critical healthcare data.

Assessing the Real-World Impact​

It’s one thing to score a vulnerability on a technical scale; it’s another to consider how exploitation unfolds in a hospital setting.
Imagine a scenario where an adversary uploads a remote access trojan via the PACS interface. With low complexity and no need for elevated permissions, within minutes, the entire image archive—potentially spanning terabytes of sensitive, regulated data—is at risk. Even more dire: attackers could intercept live imaging traffic, alter diagnostic results, or use compromised systems as a springboard for ransomware attacks that cripple hospital operations overnight.
The impact isn’t theoretical. The healthcare sector has already suffered some of the costliest ransomware incidents in recent years, with PACS and other clinical systems often being prime targets.

The Global Scope: Healthcare and Public Health at Risk​

INFINITT PACS is not confined to a niche market. Deployed at hospitals and clinics worldwide, it serves as a backbone for digital radiology and medical imaging, with installations spanning corporate group practices to sprawling urban medical centers and even rural health outposts.
The vulnerabilities disclosed affect installations across the globe. While the advisory was reported to CISA by the Shadowserver Foundation, its ripples extend well beyond North America—highlighting the international interconnectedness and shared risks in contemporary digital healthcare.

Noteworthy Strengths in the Response​

To its credit, INFINITT Healthcare has been proactive in mitigation. The company quickly identified the affected software versions, developed a targeted patch (with version 3.0.11.5 BN10 or later not vulnerable), and issued configuration recommendations for limiting unauthorized file uploads. The distinction that “INFINITT ULite is not affected”—except when integrated with vulnerable PACS servers—provides additional clarity, helping users scope their risk assessment.
This responsiveness is key. Many organizations lag in patching or take a reactive stance, but INFINITT’s relatively swift patch rollout—coupled with actionable guidance—marks a significant strength.

Critical Analysis: Hidden Risks and Lessons Learned​

Despite a clear vendor response, several hidden risks demand urgent attention:

The Pitfall of Patch Lag​

As with many enterprise environments, healthcare IT teams are often overburdened, lacking streamlined processes for vetting and deploying software patches. Version drift, legacy integrations, and regulatory hurdles can delay critical security updates, sometimes for months. Attackers, on the other hand, move fast—often weaponizing disclosed vulnerabilities within days of public advisories.

Network Segmentation (or Lack Thereof)​

The advisory urges organizations to segment PACS from business networks and to shield them from direct Internet exposure. Yet, surveys and breach analyses routinely find PACS servers exposed to the public web, with default credentials or unpatched vulnerabilities. This disconnect, between security best practices and on-the-ground realities, represents a persistent weak link.

Remote Access: A Double-Edged Sword​

Permitting remote administration—often via VPNs—remains essential for many healthcare environments. However, VPNs themselves have been targets of high-profile attacks, and legacy devices seldom support strong cipher suites or robust multifactor authentication. In such ecosystems, introducing remote access can mean swapping one vulnerability for another.

Third-Party and Integrated System Risk​

INFINITT’s note regarding ULite’s integration risk highlights a broader issue: PACS rarely exists as a siloed product. Imaging networks routinely stitch together dozens of components, from modality workstations to cloud archiving and specialist analytics dashboards. Vulnerabilities in one subsystem can quickly propagate, creating wider attack surfaces than vendors or IT teams may anticipate.

Beyond IT: The Stakes for Patients, Regulators, and Industry​

Perhaps the most profound risk relates to patient safety and trust. Even a minor compromise can have far-reaching consequences:

• Patient Harm: Altered images or delayed diagnosis can lead to clinical errors and negative health outcomes.
• Regulatory Fines: GDPR, HIPAA, and other frameworks impose severe penalties for breaches involving medical data.
• Loss of Institutional Trust: With headlines now routinely carrying news of hospital cyberattacks, public confidence is increasingly brittle.

For healthcare executives and compliance teams, these advisories are not just technical footnotes—they demand clear communication, policy review, and rapid mobilization across multiple departments.

Practical Steps and Defense-in-Depth Strategies​

What should organizations do in the face of these threats? CISA’s recommendations strike a balance between immediate triage and longer-term defense:

• Patch Immediately: Update PACS System Manager to at least version 3.0.11.5 BN10.
• Restrict Uploads: Configure file upload policies to accept only vetted, expected file types.
• Enforce Strong Authentication: Implement strong password policies and monitor for unauthorized access attempts.
• Network Segmentation: Shield PACS from the public internet, placing it behind firewalls and isolating clinical systems from general business networks.
• Secure Remote Access: Where remote access is absolutely required, use up-to-date VPNs and monitor endpoints rigorously.
• Enable Logging: Comprehensive audit trails, particularly of file upload and access events, are vital for detecting and investigating suspicious activity.
• Ongoing Assessment: Regular vulnerability scans and penetration testing, with a focus on medical IoT and integrated systems, can provide crucial early warning.

Social Engineering and the Human Factor​

The best technical controls can still be subverted by user error or social engineering. CISA’s advisory ends with prudent reminders: avoid clicking unknown links or opening attachments in unsolicited emails, and regularly update staff on how to spot phishing attempts. In healthcare, where staff turnover is high and digital literacy varies, ongoing training is as essential as any firewall.

Looking Ahead: Can Healthcare Stay a Step Ahead of Attackers?​

The wave of vulnerabilities disclosed over the past year, from medical imaging to insulin pumps and beyond, underscores a sobering reality: as healthcare grows more technologically sophisticated, so too does its exposure to digital risk. The sector’s fundamental mission—healing and protecting patients—cannot succeed without an equally robust commitment to cybersecurity.
CISA’s INFINITT advisory joins an expanding catalog of medical cyber risks, but it also offers a roadmap for how the industry can respond:

• Vendors must architect products with secure defaults and rapid update cycles.
• Hospitals and clinics need to audit, patch, and train continuously.
• Regulators must enforce, but also enable the sharing of threat intelligence and best practices.

Conclusion: Security Is Patient Safety​

Far from being a technical formality, patching and securing medical PACS systems is now a frontline component of patient safety. Each vulnerability—whether it's a file upload bug or an unrestricted access point—has the potential to impact not just data, but lives. The good news is that with rapid patches, robust configuration, and a united stance across IT, clinical, and executive teams, the majority of these risks can be mitigated.
For medical IT professionals, the INFINITT Healthcare advisory is both warning and challenge. It’s a call to reassess not only systems, but also the human processes and organizational priorities that define security in the modern hospital. The ultimate message? In digital health, there’s no room for complacency—only the relentless pursuit of resilience, one patch, policy, and practice at a time.

---

Source: www.cisa.gov INFINITT Healthcare INFINITT PACS | CISA