CVE-2025-27721 is a high-severity vulnerability identified in the INFINITT Healthcare INFINITT PACS System Manager, a critical component used for managing Picture Archiving and Communication Systems (PACS) in healthcare environments. The vulnerability is classified under CWE-497, which pertains to the use of exposed credentials or improper authorization mechanisms. Specifically, this flaw allows unauthorized users to gain access to the INFINITT PACS System Manager without proper authentication or authorization controls. The CVSS 3.1 base score of 7.5 reflects a network attack vector (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity (I:N) or availability (A:N). This means that an attacker can remotely access sensitive system resources and potentially view or exfiltrate protected medical imaging data and related patient information without needing any credentials or user interaction. The vulnerability affects all versions indicated as '0' in the affectedVersions field, which likely means the initial or all versions prior to patching. No patches or known exploits in the wild have been reported at the time of publication (August 21, 2025). Given the critical role of PACS in healthcare workflows, unauthorized access could lead to significant privacy violations and regulatory compliance issues. The vulnerability's presence in a healthcare-specific system manager highlights the risk of exposure of sensitive patient data and potential disruption of healthcare services through unauthorized system management access.

For European organizations, particularly hospitals and healthcare providers using INFINITT PACS systems, this vulnerability poses a significant risk to patient data confidentiality. Unauthorized access to the PACS System Manager could allow attackers to view or extract sensitive medical images and associated patient information, violating GDPR and other data protection regulations. This could lead to legal penalties, loss of patient trust, and reputational damage. Additionally, while the vulnerability does not directly impact system integrity or availability, unauthorized access to system management interfaces could be leveraged as a foothold for further attacks or lateral movement within healthcare networks. The exposure of such critical healthcare infrastructure could also disrupt clinical workflows, delaying diagnosis and treatment. Given the increasing targeting of healthcare systems by cybercriminals and nation-state actors, this vulnerability could be exploited for espionage, ransomware deployment, or data theft, amplifying its impact on European healthcare organizations.

1. Immediate implementation of network segmentation and access controls to restrict access to the INFINITT PACS System Manager only to trusted internal systems and authorized personnel. 2. Deploy strict firewall rules and VPN requirements to limit remote access to the management interface. 3. Monitor network traffic and system logs for any unauthorized access attempts or anomalous activities targeting the PACS System Manager. 4. Engage with INFINITT Healthcare for any available patches or security updates, and apply them promptly once released. 5. Implement multi-factor authentication (MFA) and strong authentication mechanisms around all PACS management interfaces, even if not natively supported, through compensating controls such as reverse proxies or identity-aware proxies. 6. Conduct regular security audits and penetration testing focused on PACS infrastructure to identify and remediate similar authorization weaknesses. 7. Educate healthcare IT staff about this vulnerability and enforce strict operational security policies to minimize exposure. 8. Prepare incident response plans specifically addressing potential breaches involving PACS systems to ensure rapid containment and remediation.