EUVD-2025-27703

| CVE-2025-23049 HIGH
2025-06-23 [email protected]
8.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-27703
CVE Published
Jun 23, 2025 - 12:15 nvd
HIGH 8.4

Tags

Command Injection

Description

Meridian Technique Materialise OrthoView through 7.5.1 allows OS Command Injection when servlet sharing is enabled.

Analysis

CVE-2025-23049 is an OS Command Injection vulnerability in Meridian Technique Materialise OrthoView through version 7.5.1 that allows unauthenticated remote attackers to execute arbitrary operating system commands when servlet sharing is enabled. The vulnerability has a CVSS score of 8.4 (High) and affects healthcare/dental imaging software used by medical professionals. Attackers can achieve high confidentiality impact and high availability impact, making this a significant threat to healthcare organizations relying on OrthoView for patient imaging workflows.

Technical Context

This vulnerability is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), which occurs when user-supplied input is improperly sanitized before being passed to OS command execution functions. OrthoView's servlet-based architecture, when servlet sharing is enabled, fails to adequately validate and escape user input that reaches OS-level command execution pathways. The vulnerability exists in the shared servlet handling mechanism (likely a component processing HTTP requests), allowing attackers to inject shell metacharacters or commands that are then executed with the privileges of the application server process. Materialise OrthoView is an orthodontic/dental imaging software platform (CPE likely: cpe:2.3:a:materialize:orthoview:*:*:*:*:*:*:*:*), which typically runs on medical workstations or servers processing sensitive patient imaging data.

Affected Products

OrthoView (through 7.5.1)

Remediation

patch: Upgrade OrthoView to version 7.5.2 or later (version number inferred from 'through 7.5.1' language; vendor advisory should confirm exact patched version); priority: IMMEDIATE configuration_mitigation: If immediate patching is not possible, disable servlet sharing if operationally feasible. This reduces the attack surface while patches are tested and deployed.; priority: HIGH network_mitigation: Implement network segmentation and access controls (firewall rules, VPN requirements) to restrict access to OrthoView systems to authenticated internal networks only, reducing exposure from unauthenticated remote attacks.; priority: HIGH monitoring: Deploy web application firewalls (WAF) or intrusion detection systems (IDS) to detect and block OS command injection patterns (shell metacharacters: ; | & $ ( ) [ ] { } < > \) in HTTP requests to OrthoView endpoints.; priority: MEDIUM vendor_advisory: Consult Meridian Technique/Materialise official security advisory and patch release notes at vendor's support portal for detailed remediation guidance and compatibility information.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.6
CVSS: +42
POC: 0

Share

EUVD-2025-27703 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy