Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.7 ATTENTION: Low attack complexity Vendor: Medixant Equipment: RadiAnt DICOM Viewer Vulnerability: Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform a machine-in-the-middle attack (MITM), resulting in malicious updates being delivered to the user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Medixant products are affected: RadiAnt DICOM Viewer: Version 2024.02 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295 The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user. CVE-2025-1001 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-1001. A base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Poland 3.4 RESEARCHER Sharon Brizinov of Claroty Team82 reported this vulnerability to CISA. 4. MITIGATIONS Medixant recommends users download the v2025.1 or later version of their software. If users are unable to update to the new version, Medixant recommends the following: Disable the display of available updates via this command reg add "HKCU\Software\RadiAnt Viewer" /t REG_DWORD /v CheckUpdate /d 0 /f. Do not check manually for updates ("Check for updates now" from the toolbar menu). Ignore any update notifications coming from RadiAnt DICOM Viewer, download the latest version directly in the web browser from https://www.radiantviewer.com. Check the downloaded RadiAnt DICOM Viewer installation package with antivirus software before running it. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 5. UPDATE HISTORY February 20, 2025: Initial Publication
Analysis Summary
# Vulnerability: RadiAnt DICOM Viewer Improper Certificate Validation
## CVE Details
- CVE ID: CVE-2025-1001
- CVSS Score: 5.7 (CVSS v3.1) | 5.7 (CVSS v4)
- CWE: Failure to Verify Certificate (Implied by Improper Certificate Validation)
## Affected Systems
- Products: Medixant RadiAnt DICOM Viewer
- Versions: 2024.02
- Configurations: Applicable to systems utilizing the embedded update mechanism.
## Vulnerability Description
The update mechanism in RadiAnt DICOM Viewer fails to properly verify the update server's certificate. This vulnerability allows an attacker controlling network traffic to execute a Man-in-the-Middle (MITM) attack. The attacker can then alter the server's response to deliver a malicious software update directly to the user.
## Exploitation
- Status: No known public exploitation reported to CISA.
- Complexity: Low Attack Complexity (AC:L)
- Attack Vector: Adjacent (AV:A) - Implies the attacker needs network access, but not necessarily direct remote access to the system itself, coupled with User Interaction required (UI:A/R).
## Impact
- Confidentiality: No Impact Noted (C:N)
- Integrity: High Impact (I:H) - Due to the potential delivery of malicious updates.
- Availability: No Impact Noted (A:N)
## Remediation
### Patches
- **Recommended Version:** v2025.1 or later. (Download link: hxxps://www.radiantviewer.com/files/RadiAnt-2025.1-Setup.exe)
### Workarounds
If updating is not immediately possible, users should perform the following:
1. **Disable Automatic Updates:** Disable the display of available updates using the registry command: `reg add "HKCU\Software\RadiAnt Viewer" /t REG_DWORD /v CheckUpdate /d 0 /f`
2. **Avoid Manual Updates:** Do not use the "Check for updates now" option from the toolbar menu.
3. **Ignore Notifications:** Ignore update notifications from RadiAnt DICOM Viewer.
4. **Direct Download:** If updating manually is necessary, download the latest version directly from the vendor's website using a web browser: hxxps://www.radiantviewer.com
5. **Verification:** Check the downloaded installation package using antivirus software before execution.
## Detection
- **Indicators of Compromise:** Look for abnormal network traffic related to the RadiAnt update service attempting to connect to unofficial or suspicious endpoints, or unauthorized software installation originating from the update mechanism.
- **Detection methods and tools:** Monitor network traffic patterns related to the application's update checks. Vendors recommend network isolation and review of firewall logs. CISA recommends general network segmentation for ICS/control systems.
## References
- [Vendor Advisory (Implied by mitigation steps)]
- [CISA ICS Alert (General Defense Guidance): hxxps://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01]
- [CISA ICS Page: hxxps://www.cisa.gov/topics/industrial-control-systems]
- [Defense-in-Depth Strategies: hxxps://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf]
- [Proactive Defense Practices: hxxps://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf]
- [Intrusion Detection Guide (ICS-TIP-12-146-01B): hxxps://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B]
- [Email Scams Avoidance: hxxps://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf]
- [Social Engineering Avoidance: hxxps://www.cisa.gov/uscert/ncas/tips/ST04-014]