SYSTEMS NOMINAL THREAT LEVEL: ELEVATED 2 ACTIVE ADVISORIES
Tue, 28 Apr 2026 20:51:02 UTC
PENNAME.ORG
HEALTHCARE INFORMATION SECURITY PORTAL

Serving the healthcare infosec community since MMXXV  |  HIPAA · HITECH · FDA · OCR · Zero Trust · Medical Device Security

!! ALERT !!
[2026-04-28] PENNAME.ORG: PENNAME.ORG goes Live!
HIGH CVE-2026-2987 2026-04-24

SQL injection in Philips IntelliSpace PACS

vendor:Philips product:IntelliSpace PACS cvss:8.4 categories:medical-devices, PACS

Summary

The query interface in IntelliSpace PACS does not properly parameterize study identifier inputs, allowing SQL injection.

Affected versions

  • IntelliSpace PACS 4.4 SP3 and earlier

Impact

Authenticated users can read arbitrary content from the imaging database, including studies belonging to other departments. Privilege escalation may be possible depending on stored procedure configuration.

Mitigation

Apply Philips service pack 4.4 SP4 or later.

References

  • Philips Product Security Status Information
  • ICS-CERT advisory pending

-- EOF --