OrthoView announced yesterday that a high severity vulnerability had been identified in all versions of OrthoView including and prior to v7.5.1. The vulnerability is easily exploitable if the install has sevlet sharing enabled.
The vulnerability exploits CWE-78 - operating system commands being misused by unauthenticated users (more in-depth explanation here: CWE - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (4.17)) and may allow leveraging to access other parts of the network or files if the OrthoView network account has the requisite privileges.
Announcement
“A security issue was discovered in OrthoView 7.5.1 and earlier versions. Under certain conditions, unauthenticated users may be able to execute arbitrary commands on the OrthoView server.”
“The vulnerability only affects OrthoView installations with servlet sharing enabled.”
Disclosure Links
https://nvd.nist.gov/vuln/detail/CVE-2025-23049