CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.

CVSS

No CVSS.

References

Link	Resource
https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326
https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252
https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation
https://lists.debian.org/debian-lts-announce/2026/02/msg00033.html

Configurations

No configuration.

History

28 Feb 2026, 18:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2026/02/msg00033.html -
Summary		(es) Las versiones de Orthanc anteriores a la 1.12.10 se ven afectadas por un fallo de lógica de autorización en la implementación de Autenticación Básica HTTP de la aplicación. Si se explota con éxito podría provocarse una Escalada de Privilegios, permitiendo potencialmente acceso completo como administrador.

19 Feb 2026, 00:16

Type	Values Removed	Values Added
Summary	(en) Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in allow Privilege Escalation, potentially allowing full administrative access.	(en) Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.

18 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 23:16

Updated : 2026-02-28 18:16

NVD link : CVE-2025-15581

Mitre link : CVE-2025-15581

CVE.ORG link : CVE-2025-15581

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-15581", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-18T23:16:18.907", "references": [{"url": "https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a"}, {"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a"}, {"url": "https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00033.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's\u00a0HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access."}, {"lang": "es", "value": "Las versiones de Orthanc anteriores a la 1.12.10 se ven afectadas por un fallo de l\u00f3gica de autorizaci\u00f3n en la implementaci\u00f3n de Autenticaci\u00f3n B\u00e1sica HTTP de la aplicaci\u00f3n.\n\nSi se explota con \u00e9xito podr\u00eda provocarse una Escalada de Privilegios, permitiendo potencialmente acceso completo como administrador."}], "lastModified": "2026-02-28T18:16:01.240", "sourceIdentifier": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a"}