Skip to main content

Meridian Technique Materialise OrthoView CVE-2025-23049

| EUVDEUVD-2025-27703 HIGH
OS Command Injection (CWE-78)
2025-06-23 cve@mitre.org
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-27703
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 12:15 nvd
HIGH 8.4

DescriptionCVE.org

Meridian Technique Materialise OrthoView through 7.5.1 allows OS Command Injection when servlet sharing is enabled.

AnalysisAI

CVE-2025-23049 is an OS Command Injection vulnerability in Meridian Technique Materialise OrthoView through version 7.5.1 that allows unauthenticated remote attackers to execute arbitrary operating system commands when servlet sharing is enabled. The vulnerability has a CVSS score of 8.4 (High) and affects healthcare/dental imaging software used by medical professionals. Attackers can achieve high confidentiality impact and high availability impact, making this a significant threat to healthcare organizations relying on OrthoView for patient imaging workflows.

Technical ContextAI

This vulnerability is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), which occurs when user-supplied input is improperly sanitized before being passed to OS command execution functions. OrthoView's servlet-based architecture, when servlet sharing is enabled, fails to adequately validate and escape user input that reaches OS-level command execution pathways. The vulnerability exists in the shared servlet handling mechanism (likely a component processing HTTP requests), allowing attackers to inject shell metacharacters or commands that are then executed with the privileges of the application server process. Materialise OrthoView is an orthodontic/dental imaging software platform (CPE likely: cpe:2.3:a:materialize:orthoview:*:*:*:*:*:*:*:*), which typically runs on medical workstations or servers processing sensitive patient imaging data.

RemediationAI

patch: Upgrade OrthoView to version 7.5.2 or later (version number inferred from 'through 7.5.1' language; vendor advisory should confirm exact patched version); priority: IMMEDIATE configuration_mitigation: If immediate patching is not possible, disable servlet sharing if operationally feasible. This reduces the attack surface while patches are tested and deployed.; priority: HIGH network_mitigation: Implement network segmentation and access controls (firewall rules, VPN requirements) to restrict access to OrthoView systems to authenticated internal networks only, reducing exposure from unauthenticated remote attacks.; priority: HIGH monitoring: Deploy web application firewalls (WAF) or intrusion detection systems (IDS) to detect and block OS command injection patterns (shell metacharacters: ; | & $ ( ) [ ] { } < > \) in HTTP requests to OrthoView endpoints.; priority: MEDIUM vendor_advisory: Consult Meridian Technique/Materialise official security advisory and patch release notes at vendor's support portal for detailed remediation guidance and compatibility information.

Share

CVE-2025-23049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy