CVE-2018-25298

Merge PACS 7.0 contains a cross-site request forgery (CSRF) vulnerability in the merge-viewer endpoint. The application fails to implement anti-CSRF tokens or origin checks on the /servlet/actions/merge-viewer/summary POST handler, allowing an attacker to forge requests that perform actions on behalf of an authenticated user [2][3]. Root cause is the lack of CSRF protections for session-sensitive operations.

Exploitation requires no authentication; the attacker must trick an authenticated user into visiting a malicious HTML page. The proof-of-concept shows a hidden form that submits amicasUsername and password fields, effectively logging the victim into a session controlled by the attacker or performing actions as the victim [2]. The attack is network-based (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N) [3].

Successful exploitation allows an attacker to hijack the victim's active session or execute unauthorized actions on the PACS system, potentially accessing or manipulating medical imaging data [3]. The CVSS v4 vector assigns a low confidentiality impact (VC:N, SC:L) and low integrity impact (VI:L, SI:L), indicating limited but real risk to data integrity and system trust.

Merative (formerly IBM Watson Health) is the vendor; while Merge PACS 7.0 is affected [1]. No patch information is provided in available references; users should monitor vendor advisories or apply general CSRF defenses such as token validation or same-site cookie policies. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities catalog.