Skip to main content

A privileged attacker could exploit CVE-2025-1002 to alter network traffic and perform a machine-in-the-middle attack

Threat ID:CC-4616
Threat Severity:Medium
Published:11 February 2025 3:21 PM

Summary

A privileged attacker could exploit CVE-2025-1002 to alter network traffic and perform a machine-in-the-middle attack

Affected platforms

The following platforms are known to be affected:

Versions: 2024.03 and earlier
MicroDicom DICOM Viewer

Threat details

Attacks targeting MicroDicom users

In June 2024, we issued Cyber Alert CC-4512. In the Cyber Alert, organisations were advised that threat actors were creating  watering hole campaigns. These campaigns targeted MicroDicom users by masquerading as the official download page after the release of a CISA alert regarding this product. These malicious download pages contained fake installers, which delivered additional malware.

Organisations are strongly encouraged to verify all download links for software patches and are recommended to follow the Definitive Threat Updates link in these cyber alerts.


Introduction

The US Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) Medical Advisory for a vulnerability found in MicroDicom DICOM Viewer. DICOM Viewer is an application for primary processing and preservation of medical images in DICOM format.

CVE-2025-1002 has a CVSSv3 base score of 5.7 and is an 'improper certificate validation' vulnerability, which means that it fails to adequately verify the update server's certificate. An attacker in a privileged network position could alter network traffic and carry out a machine-in-the-middle (MitM) attack. This attack could allow the server's response to be modified, delivering a malicious update to the user.

Remediation advice

Affected organisations are encouraged to review the CISA advisory ICSMA-25-037-01, which recommends updating MicroDicom DICOM Viewer to version 2025.1 and taking the following defensive actions to minimise the risk of exploitation of these vulnerabilities:

  • Minimise network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), while recognising VPNs may have vulnerabilities and should be updated to the most current version available.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2025-1002MicroDicom DICOM Viewer version 2024.03 fails to adequately verify the update server's certificate, which could make it possible for attackers in a privileged network position to alter network traffic and carry out a machine-in-the-middle (MITM) attack. This allows the attackers to modify the server's response and deliver a malicious update to the user.

Last edited: 11 February 2025 3:21 pm

Back to top