The Healthcare and Public Health Sector Highlights

Table of Contents​​​

• Active Exploitation of ChatGPT Vulnerability Poses Risk to Organizations
• Security Alert: GitHub Action Compromise (CVE-2025-30066)
• CISA Issues Medical Advisory on Santesoft Sante DICOM Viewer Pro Vulnerability
• Critical Veeam RCE Vulnerability Exposes Backup Servers to Domain Users
• CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation Threats
• Windows Zero-Day Exploited by 11 State-Sponsored Hacking Groups Since 2017
• Joint Efforts Cut Cobalt Strike Abuse by 80%
• Hackers Exploit Critical Cisco Smart Licensing Vulnerabilities
• HPH Sector Ransomware Resource Library
• Latest CISA Vulnerability Summary

Active Exploitation of ChatGPT Vulnerability Poses Risk to Organizations

Source: DarkReading

A recently discovered vulnerability in ChatGPT (CVE-2024-27564) is being actively exploited by attackers. This server-side request forgery flaw allows cybercriminals to redirect users to malicious URLs, which can lead to a variety of attack types. Over 10,000 exploit attempts were recorded in just one week, many targeting financial institutions, government, and healthcare organizations.

The vulnerability, identified by Veriti researchers, stems from ChatGPT’s infrastructure and affects certain firewall configurations, particularly intrusion prevention systems and Web Application Firewalls. Financial organizations, reliant on Artificial intelligence-driven service, are primary targets due to the potential for unauthorized transactions or data breaches. While the vulnerability was initially rated as medium risk, its active exploitation highlights the real-world danger posed by even small flaws.

Security teams are urged to check firewall and system configurations, monitor logs for suspicious activity, and prioritize addressing AI-related security gaps to mitigate this growing threat. For more information, refer to the DarkReading article.
 

Security Alert: GitHub Action Compromise (CVE-2025-30066)

Source: CISA

The popular GitHub Action tj-actions/changed-files, which is used for detecting file changes in pull requests or commits, was recently compromised in a supply chain attack. This attack exposed sensitive secrets, including GitHub Personal Access Tokens, npm tokens, and private RSA keys. The vulnerability, tracked as CVE-2025-30066, has been patched in version v46.0.1, and CISA has added it to its Known Exploited Vulnerabilities Catalog. The compromised action injected malicious code that dumped these secrets into public repository workflow logs, making them visible to anyone. Although the malicious code has been reverted, the exposure risks remain, particularly for public repositories. Users are strongly advised to stop using the compromised action, rotate exposed secrets, and follow security recommendations to mitigate risks, including pinning actions to specific commit hashes, using GitHub’s allow-listing feature, and monitoring CI pipelines for suspicious activity. For further guidance, refer to the following resources:

• GitHub: tj-actions changed-files CVE details
• GitHub: Security hardening for GitHub Actions
• StepSecurity: Harden-Runner detection of compromised action
• Wiz: GitHub Action tj-actions/changed-files supply chain attack
• Sysdig: Detecting and Mitigating the “tj-actions/changed-files” Supply Chain Attack

CISA Issues Medical Advisory on Santesoft Sante DICOM Viewer Pro Vulnerability

Source: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control System (ICS) Medical Advisory regarding vulnerabilities found in Santesoft’s Sante DICOM Viewer Pro (versions 14.1.2 and prior). The advisory highlights a critical Out-of-Bounds Write vulnerability (CVE-2025-2480), which carries a CVSS v4 score of 8.4. This vulnerability could be exploited by a local attacker if a user opens a malicious Digital Imaging and Communications in Medicine (DCM) file, leading to memory corruption and the potential execution of arbitrary code. Affected systems are primarily used in the healthcare and public health sectors, with global deployment. To mitigate the risk, Santesoft has released an updated version (14.2.0), and CISA recommends upgrading to this version. Additionally, CISA advises organizations to secure their networks, use VPNs for remote access, and follow cybersecurity best practices to protect against potential exploitation. While no public exploitation has been reported, CISA encourages organizations to remain vigilant and implement defensive measures. For additional information, refer to the ICS Medical Advisory.
 

Critical Veeam RCE Vulnerability Exposes Backup Servers to Domain Users

Source: BleepingComputer

Veeam patched a critical remote code execution vulnerability (CVE-2025-23120) in its Backup & Replication software, which affects domain-joined installations. This flaw, found in versions 12.3.0.310 and earlier, allows domain users to exploit a deserialization issue, potentially executing harmful code on backup servers. The vulnerability was fixed in version 12.3.1, released on March 20, 2025. The bug affects systems that improperly process serialized data, enabling attackers to inject malicious objects. Although Veeam had previously addressed a similar issue, the flaw resurfaced due to the discovery of a different exploit path. Ransomware groups have long targeted Veeam Backup servers, and this vulnerability could make these systems even more attractive to attackers. To protect your infrastructure, it's crucial to upgrade to version 12.3.1 immediately. Additionally, review Veeam’s best practices and consider disconnecting the server from the domain to reduce risk.For more details on the vulnerability refer to the Veeam Vulnerability Report.
 

CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation Threats

Source: The Hacker News

CISA added a critical vulnerability in NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog due to ongoing exploitation. The flaw, identified as CVE-2024-48248 (CVSS score: 8.6), is an absolute path traversal issue that allows unauthenticated attackers to read sensitive files, such as "/etc/shadow," on affected systems. This vulnerability impacts all versions of the software prior to version 10.11.3.86570. If exploited, the flaw could expose sensitive data like credentials, backups, and configuration files, potentially leading to further compromises. Specifics on active exploitation remain limited. The issue was addressed in the November 2024 update to version 11.0.0.88174. Along with NAKIVO's vulnerability, CISA also added two other security flaws to the KEV catalog: CVE-2025-1316, an OS command injection in Edimax IC-7100 IP cameras, and CVE-2017-12637, a directory traversal vulnerability in SAP NetWeaver Application Server. Due to active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary mitigations by April 9, 2025, to protect their networks. For more information, refer to The Hacker News article.
 

Windows Zero-Day Exploited by 11 State-Sponsored Hacking Groups Since 2017

Source: BleepingComputer

A recently discovered Windows vulnerability (ZDI-CAN-25373) has been exploited by at least 11 state-backed hacking groups from North Korea, Iran, Russia, and China for cyber espionage and data theft since 2017. Microsoft has not issued a patch for this flaw, citing it doesn't meet the severity threshold for immediate attention. The vulnerability, stemming from an user interface misrepresentation in Windows shortcut (.LNK) files, allows attackers to execute malicious code without detection by hiding command-line arguments in padded whitespace.

The flaw has been used in various cyberattacks worldwide, targeting North America, South America, Europe, East Asia, and Australia. Most of the attacks focused on espionage (70%), with financial gain being a secondary objective (20%). Malware payloads like Ursnif, Gh0st RAT, and Trickbot have been deployed in these campaigns, complicating the threat landscape. Microsoft has acknowledged the issue and stated that while they haven't patched it yet, they are considering future fixes. For now, users are advised to be cautious when downloading files from unknown sources to mitigate the risk. For more details, refer to the BleepingComputer article.
 

Joint Efforts Cut Cobalt Strike Abuse by 80%

Source: HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Journal published an article highlighting the successful collaboration to combat the misuse of Cobalt Strike, leading to an 80% reduction in its abuse over the past two years. Originally designed for red teams to identify network vulnerabilities, Cobalt Strike has been widely exploited by cybercriminals for deploying ransomware and conducting phishing attacks. Through efforts from Fortra, Microsoft Digital Crimes Unit, and Health-ISAC, over 200 malicious domains were seized and sinkholed, reducing the dwell time between detection and takedown to less than two weeks globally. Additionally, Operation Morpheus, led by the UK's National Crime Agency, targeted 690 malicious instances of Cobalt Strike, resulting in the takedown of 593 IP addresses. These ongoing collaborative efforts continue to make a significant impact in reducing cyber threats linked to Cobalt Strike. For more information, refer to the HIPAA journal.
 

Hackers Exploit Critical Cisco Smart Licensing Vulnerabilities

Source: SecurityWeek

The SANS Technology Institute's Internet Storm Center has reported seeing active attempts to exploit two critical vulnerabilities in Cisco's Smart Licensing Utility, tracked as CVE-2024-20439 and CVE-2024-20440. These vulnerabilities were patched by Cisco in September 2024, but attackers are still targeting them.

CVE-2024-20439 allows attackers to gain unauthorized access through a hardcoded password, while CVE-2024-20440 involves excessive logging that can be exploited once the first vulnerability is used. The attackers are attempting to exploit default credentials to access systems running the utility, though their exact objectives remain unclear.

These vulnerabilities, which allow attackers to access sensitive information and control associated services, were originally discovered by Cisco in-house. While no previous exploitation attempts had been reported, the recent activity suggests an emerging threat. Cisco has yet to comment on the ongoing exploitation. For more information, refer to Cisco's Security Advisory.
 

HPH Sector Ransomware Resource Library

The HPH Sector Highlights-Cybersecurity Edition features this continually growing HPH Ransomware Resource Library in every weekly bulletin. The library has a variety of resources that you can use to keep your healthcare facility protected from ransomware attacks.

• HPH Cybersecurity Performance Goals
• HHS HC3 Ransomware & Healthcare Informational Slides
• ASPR TRACIE Cybersecurity Topic Collection- Ransomware Resources
• Healthcare System Cybersecurity: Readiness & Response Considerations
• StopRansomware.gov
• CISA’s Stop Ransomware Resource
• CISA Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA)
• CISA Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
• FBI IC3 Webpage for Ransomware
• CISA's Cybersecurity Alerts & Advisories
• Ransomware Risk Management: A Cybersecurity Framework Profile (NISTIR 8374)
• HC3 and 405(d)'s Prepare, React, and Recover from Ransomware guide
• New Zealand Computer Emergency Response Team guide on ransomware protection for businesses
• Ransomware Task Force: Combating Ransomware Report

Latest CISA Vulnerability Summary

The latest CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the NIST National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned Common Vulnerability Scoring System (CVSS) scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Comments and Questions

If you have comments or questions, send an email to hhscyber@hhs.gov. The OCIP team will work to answer your inquiries or connect you to the proper entity. 

Traffic Light Protocol (TLP) Designation: CLEAR