CVE-2025-27714 is a vulnerability identified in the INFINITT Healthcare INFINITT PACS System Manager, a medical imaging management solution widely used in healthcare environments for storing and accessing medical images. The vulnerability is classified under CWE-434, which pertains to unrestricted file upload. Specifically, an attacker can exploit this flaw by uploading arbitrary files through a particular endpoint in the system. This unrestricted file upload can lead to unauthorized remote code execution or full system compromise. The vulnerability requires low attack complexity (AC:L) and only low privileges (PR:L) but does not require user interaction (UI:N). The attack vector is network-based (AV:N), meaning the attacker can exploit the vulnerability remotely over the network. The CVSS 3.1 base score is 6.3, indicating a medium severity level, with impacts on confidentiality, integrity, and availability rated as low to medium. The vulnerability could allow an attacker to execute malicious code remotely, potentially gaining control over the PACS system, which could lead to unauthorized access to sensitive patient data, manipulation or deletion of medical images, and disruption of healthcare services dependent on the PACS system. Although no known exploits are currently reported in the wild, the potential impact on healthcare operations and patient privacy is significant given the critical role of PACS systems in clinical workflows.

For European healthcare organizations, this vulnerability poses a substantial risk. PACS systems are integral to diagnostic imaging workflows, and compromise could lead to unauthorized access to sensitive patient health information, violating GDPR and other data protection regulations. Disruption or manipulation of medical images could result in misdiagnosis or delayed treatment, directly impacting patient safety. Additionally, system compromise could enable attackers to pivot within hospital networks, potentially affecting other critical systems. The healthcare sector in Europe is a frequent target for cyberattacks, and the presence of this vulnerability increases the attack surface. The medium CVSS score reflects that while exploitation requires some privileges, the lack of user interaction and network accessibility make it a viable threat. The absence of known exploits currently provides a window for proactive mitigation, but the critical nature of the affected system elevates the urgency for patching and protective measures.

Given the absence of an official patch at the time of this report, European healthcare providers should implement compensating controls immediately. These include restricting network access to the PACS System Manager endpoints using network segmentation and firewall rules to limit exposure to trusted personnel and systems only. Employ strict access controls and multi-factor authentication to reduce the risk posed by low-privilege attackers. Monitor logs and network traffic for unusual file upload activity or anomalous behavior indicative of exploitation attempts. Implement application-layer filtering or web application firewalls (WAFs) to detect and block malicious file uploads. Regularly back up PACS data and verify backup integrity to enable recovery in case of compromise. Once a patch becomes available, prioritize its deployment in all affected environments. Additionally, conduct security awareness training for administrators to recognize and respond to potential exploitation attempts.