top of page
perceptive_background_267k.jpg

Varex Imaging Panoramic Dental Imaging Software

Published:

11 December 2025 at 12:00:00

Alert date:

11 December 2025 at 21:05:27

Source:

cisa.gov

Click to open the original link from this advisory

CISA advisory for CVE-2024-22774 affecting Varex Imaging Panoramic Dental Imaging Software versions prior to 6.6.1.490. The vulnerability is an uncontrolled search path element (CWE-427) that allows DLL hijacking attacks. Successful exploitation enables standard users to escalate privileges to NT Authority/SYSTEM level. The vulnerability has CVSS v4 score of 8.5 and affects healthcare infrastructure in North America. Varex Imaging has released a patch (version 9.4.55.9888) to address the vulnerability. No public exploitation has been reported, but the vulnerability is not remotely exploitable.

Technical details

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. The vulnerability is exploitable remotely with high attack complexity. CVSS v3 base score of 8.0 and CVSS v4 base score of 7.0.

Mitigation steps:

Update OpenPLC_V3 to pull request #310 or later from the main GitHub repository. Minimize network exposure for all control system devices ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs). Perform proper impact analysis and risk assessment prior to deploying defensive measures. Implement recommended cybersecurity strategies for proactive defense of ICS assets. Report suspected malicious activity to CISA.

Affected products:

OpenPLC_V3: Versions prior to pull request #310

Related links:

https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/352.html
https://www.cve.org/CVERecord?id=CVE-2025-13970
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H
https://github.com/thiagoralves/OpenPLC_v3
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page