CVE-2023-40704 identifies a vulnerability in Philips Vue PACS (Picture Archiving and Communication System) related to the use of default credentials during installation. Specifically, the system does not enforce the creation of unique and complex passwords, allowing the default Philips password to remain active. This weakness falls under CWE-1392, which concerns the use of default credentials that are often well-known or easily guessable. An attacker who obtains or guesses these default credentials can gain unauthorized access to the PACS database. Such access could lead to significant impacts on system availability and data integrity, as the attacker might manipulate, delete, or disrupt medical imaging data. The vulnerability has a CVSS 3.1 base score of 6.8, categorized as medium severity, with the vector indicating that the attack requires adjacent network access (AV:A), low attack complexity (AC:L), high privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), and impacts confidentiality, integrity, and availability at a high level (C:H/I:H/A:H). Although no public exploits are currently known, the presence of default credentials is a common and easily exploitable security flaw, especially in healthcare environments where PACS systems are critical for clinical workflows. The lack of enforced password complexity during installation increases the risk that default credentials remain unchanged, making the system vulnerable to credential-based attacks. Given the critical nature of medical imaging data and the role of PACS in patient care, this vulnerability poses a significant risk to healthcare providers using Philips Vue PACS.

For European organizations, particularly healthcare providers, this vulnerability could lead to unauthorized access to sensitive medical imaging data, potentially violating patient privacy regulations such as GDPR. Compromise of the PACS database could disrupt clinical operations by affecting the availability of imaging data, delaying diagnoses and treatments. Data integrity impacts could result in corrupted or altered images, leading to misdiagnosis or treatment errors. Additionally, unauthorized access could facilitate lateral movement within hospital networks, increasing the risk of broader system compromise. The medium CVSS score reflects that while exploitation requires some privileges and network proximity, the consequences of a successful attack are severe. Given the critical role of PACS in healthcare infrastructure, any disruption or data breach could have serious patient safety and regulatory compliance implications. European healthcare organizations are often targeted due to the value of medical data and the criticality of healthcare services, making this vulnerability particularly concerning in this region.

1. Enforce immediate password changes: Organizations should ensure that default credentials are changed during or immediately after installation. This can be enforced through installation policies or configuration management tools. 2. Implement strong password policies: Require complex, unique passwords for all PACS system accounts, including administrative and service accounts. 3. Network segmentation: Isolate PACS systems on dedicated network segments with strict access controls to limit exposure to adjacent network attackers. 4. Multi-factor authentication (MFA): Where possible, enable MFA for access to PACS administrative interfaces to reduce the risk of credential compromise. 5. Regular audits and monitoring: Conduct periodic audits to verify that default credentials are not in use and monitor access logs for suspicious activity. 6. Vendor coordination: Engage with Philips to obtain patches or updates that enforce password complexity and remove default credentials. 7. Incident response planning: Prepare for potential compromise scenarios involving PACS systems, including data integrity verification and recovery procedures. 8. User training: Educate IT and clinical staff about the risks of default credentials and the importance of secure credential management specific to medical devices and systems.