Insecure Password Encryption Vulnerability in syngo.plaza VB30E
Publication Date: 2026-02-10
Last Update: 2026-02-10
Current Version: V1.0
CVSS v3.1 Base Score: 5.3
CVSS v4.0 Base Score: 6.3
SUMMARY
syngo.plaza VB30E contains insecure password encryption vulnerability that could allow an attacker to extract original passwords and might gain unauthorized access.
Siemens Healthineers has released a new hot fix (HF07) for the syngo.plaza version VB30E and recommends to update to the latest version.
AFFECTED PRODUCTS AND SOLUTIONS
WORKAROUNDS AND MITIGATIONS
Product specific remediations or mitigations can be found in the section Known affected Products.
Please follow the General Security Recommendations.
GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers generelly recommends the following:
- Ensure you have appropriate backups and system restoration procedures.
- Securely delete any backup files that are no longer needed.
- For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center.
To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you
PRODUCT DESCRIPTION
syngo.plaza is a Picture Archiving and Communication System intended to display, process, read, report, print communicate, distribute, store, and archive digital medical images, including mammographic images. It supports the physician in diagnosis and treatment planning.
VULNERABILITY CLASSIFICATION
This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.
Vulnerability CVE-2024-52334
The affected application does not encrypt the passwords properly. This could allow an attacker to recover the original passwords and might gain unauthorized access.
CVSS v3.1 Base Score:
5.3
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v4.0 Base Score:
6.3
CVSS Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE:
CWE-261: Weak Encoding for Password
ACKNOWLEDGMENTS
Siemens Healthineers thanks the following party for their efforts:
- Felix Eberstaller and Bernhard Lorenz from Limes Security for coordinated disclosure
ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers.
HISTORY DATA
V1.0 (2026-02-10): Publication Date
TERMS OF USE
Siemens Healthineers’ Security Advisories are subject to the terms and conditions contained in Siemens Healthineers’ underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.