INFINITT Healthcare discovered three vulnerabilities in its INFINITT PACS. There was a high-severity vulnerability with publicly accessible exploits. CISA’s alert states that a threat actor can exploit the vulnerabilities even in a low-level attack.
Vulnerability CVE-2025-27721 is a high-severity vulnerability. An unauthorized user who successfully exploits the vulnerability would be able to access the system with no need for authorization and access system credentials. The vulnerability has a designated CVSS v4 severity score of 8.7 and a CVSS v3.1 base score of 7.5.
Two of the vulnerabilities are regarded as medium severity with CVSS v4 base scores of 5.3 and CVSS v3.1 base scores of 6.3. These vulnerabilities are a result of insufficient controls for stopping unsafe file uploads. A malicious actor can exploit the first vulnerability, which is monitored as CVE-2025-27714, by uploading arbitrary files through a particular endpoint. An attacker can exploit the second vulnerability, which is monitored as CVE-2025-24489, by uploading arbitrary files through a selected service, possibly resulting in a system breach. The security researcher who discovered the vulnerabilities and reported them to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was Piotr Kijewski of the Shadowserver Foundation.
The three vulnerabilities were resolved in the most recent version of the software: 3.0.11.5 BN10 and subsequent versions. Customers must make sure they upgrade their software programs to the newest version immediately to avoid exploitation. This must be a part of the learned protocols in HIPAA training programs of covered entities. INFINITT Healthcare mentioned INFINITT ULite is not affected, though if it is running as an integrated system inside INFINITT PACS, then it is necessary to patch it to protect the PACS environment.
Aside from implementing the patches, INFINITT Healthcare advises using strong passwords, updating logs to keep track of unauthorized access attempts, and setting up the System Manager to limit suspicious file uploads. In addition, users must make sure that their PACS servers aren’t directly connected to the Internet.