Unencrypted hard-coded password risks patient info in Philips’ x-ray dose app

DoseWise Portal
DoseWise Portal

Philips is working to fix a serious hard-coded credential flaw in its radiation dose management web portal that could allow a remote attacker to access patient records stored in the platform’s database. 

The software, called DoseWise Portal, is used by hospitals to manage radiation levels that patients are exposed to when undergoing CT scans.  

In an advisory published Thursday, Philips said DoseWise Portal stored hard-coded database credentials in the clear within backend system files. 

“Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI).  Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability,” it said. 

An attacker would need elevated privileges to access the files that contain the hard-coded credentials, which are stored behind additional security measures, according to Philips.   

Still, according to the US DHS' ICS-CERT, an “attacker with a low skill would be able to exploit these vulnerabilities.” 

Philips says the portal is deployed primarily in Australia, the US, Japan, and Europe, according to ICS-CERT’s advisory.  

The hard-coded credential vulnerability ( CVE-2017-9656) has been assigned a Common Vulnerability Scoring System (CVSS) v3 base score of 9.1 out of a possible 10. The cleartext vulnerability has been given a CVSS v3 base score of 6.5.  

There are currently no known public exploits for the two bugs. DoseWise Portal versions and are vulnerable. 

A DoseWise Portal customer reported the vulnerability to the Philips, which plans to release a new version addressing the flaw this month. 

For customers with version, Philips will assist them reconfigure the software to change and encrypt all stored passwords.   

Customers with version will be updated to version, which will “eliminate the hard-code password vulnerabilities”.  

Philips has advised customers to block port 1433 except where a separate SQL server is used. 


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags philipscyber securityattackersICS-CERTCVE-2017-9656

More about AustraliaCustomersPhilips

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts