CVE-2023-40704

Philips Vue PACS Use of Default Credentials

Description

The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity.

Remediation

Solution:

  • Philips recommends the following mitigations: * For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter https://incenter.medical.philips.com/Default.aspx . Vue PACS version 12.2.8.410* released in October 2023 prevents this vulnerability. * For CVE-2023-40704, Philips recommends no action needed due to low risk of exploitability, but customers can request that Philips update database password(s). For managed services users, new releases will be made available upon resource availability. Releases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact their local Philips sales representative or submit a request in the Philips Informatics Support portal https://www.informatics.support.philips.com/csm . Refer to the Philips advisory https://www.philips.com/productsecurity for more details.

Category

5.7
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.05%
Third-Party Advisory cisa.gov
Affected: Philips Vue PACS
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01 us government resource third party advisory
http://www.philips.com/productsecurity product

Frequently Asked Questions

What is the severity of CVE-2023-40704?
CVE-2023-40704 has been scored as a medium severity vulnerability.
How to fix CVE-2023-40704?
To fix CVE-2023-40704: Philips recommends the following mitigations: * For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter https://incenter.medical.philips.com/Default.aspx . Vue PACS version 12.2.8.410* released in October 2023 prevents this vulnerability. * For CVE-2023-40704, Philips recommends no action needed due to low risk of exploitability, but customers can request that Philips update database password(s). For managed services users, new releases will be made available upon resource availability. Releases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact their local Philips sales representative or submit a request in the Philips Informatics Support portal https://www.informatics.support.philips.com/csm . Refer to the Philips advisory https://www.philips.com/productsecurity for more details.
Is CVE-2023-40704 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-40704 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40704?
CVE-2023-40704 affects Philips Vue PACS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.