Cisco Talos Discloses Critical Vulnerabilities in Medical and Security Software Libraries
Cisco Talos’ Vulnerability Discovery & Research team recently uncovered and disclosed multiple vulnerabilities in three widely used software libraries: Libbiosig, Grassroot DICOM, and Smallstep step-ca. While patches have been released for most flaws, the Grassroot DICOM vulnerabilities remain unpatched zero-days.
Libbiosig: Stack-Based Buffer Overflows
Researcher Mark Bereza identified six stack-based buffer overflow vulnerabilities (TALOS-2025-2296, CVE-2025-66043–CVE-2025-66048) in Libbiosig 3.9.1, an open-source library for biomedical signal processing. The flaws reside in the MFER parsing functionality, allowing attackers to execute arbitrary code by supplying a maliciously crafted MFER file.
Grassroot DICOM: Zero-Day Information Leaks
Emmanuel Tacheau discovered three out-of-bounds read vulnerabilities in Grassroot DICOM, a C++ library for medical imaging files. The flaws (TALOS-2025-2210, TALOS-2025-2211, TALOS-2025-2214) can expose sensitive data, including heap memory, when processing malicious files. Unlike the other vulnerabilities, these remain unpatched zero-days.
Smallstep step-ca: Additional Flaws
Researcher Stephen Kubik of Cisco’s Advanced Security Initiatives Group (ASIG) identified vulnerabilities in Smallstep step-ca, a certificate authority (CA) tool. Details on these flaws were not fully disclosed in the article, but patches have been issued.
Impact & Response
The vulnerabilities affect systems processing medical imaging, biomedical signals, and certificate management. While Libbiosig and Smallstep step-ca have released fixes, organizations using Grassroot DICOM should exercise caution until patches are available. Cisco Talos has provided detection rules via Snort to help identify exploitation attempts.
Source: https://blog.talosintelligence.com/libbiosig-grassroot-dicom-smallstep-step-ca-vulnerabilities/
Smallstep cybersecurity rating report: https://www.rankiteo.com/company/smallstep
"id": "SMA1774456850",
"linkid": "smallstep",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Biomedical Signal Processing',
'name': 'Libbiosig',
'type': 'Software Library'},
{'industry': 'Medical Imaging',
'name': 'Grassroot DICOM',
'type': 'Software Library'},
{'industry': 'Certificate Authority (CA) Tool',
'name': 'Smallstep step-ca',
'type': 'Software Library'}],
'attack_vector': 'Maliciously crafted files (MFER, DICOM)',
'data_breach': {'file_types_exposed': ['MFER', 'DICOM'],
'sensitivity_of_data': 'High (medical and personal data)',
'type_of_data_compromised': 'Biomedical signals, medical '
'imaging data, heap memory'},
'description': 'Cisco Talos’ Vulnerability Discovery & Research team '
'uncovered and disclosed multiple vulnerabilities in three '
'widely used software libraries: Libbiosig, Grassroot DICOM, '
'and Smallstep step-ca. While patches have been released for '
'most flaws, the Grassroot DICOM vulnerabilities remain '
'unpatched zero-days.',
'impact': {'data_compromised': 'Sensitive data exposure (heap memory, '
'biomedical signals, medical imaging data)',
'operational_impact': 'Potential arbitrary code execution, data '
'leaks, and system compromise',
'systems_affected': 'Systems processing medical imaging, '
'biomedical signals, and certificate '
'management'},
'investigation_status': 'Ongoing (Grassroot DICOM vulnerabilities remain '
'unpatched)',
'post_incident_analysis': {'corrective_actions': 'Patches released for '
'Libbiosig and Smallstep '
'step-ca; detection rules '
'provided via Snort',
'root_causes': 'Vulnerabilities in software '
'libraries (buffer overflows, '
'out-of-bounds reads)'},
'recommendations': 'Apply patches for Libbiosig and Smallstep step-ca; '
'monitor for exploitation attempts using Snort rules; '
'exercise caution with Grassroot DICOM until patches are '
'available.',
'references': [{'source': 'Cisco Talos'}],
'response': {'communication_strategy': 'Cisco Talos provided detection rules '
'via Snort',
'containment_measures': 'Patches released for Libbiosig and '
'Smallstep step-ca; Grassroot DICOM '
'remains unpatched',
'enhanced_monitoring': 'Snort detection rules provided',
'remediation_measures': 'Apply patches for Libbiosig and '
'Smallstep step-ca; exercise caution '
'with Grassroot DICOM'},
'title': 'Cisco Talos Discloses Critical Vulnerabilities in Medical and '
'Security Software Libraries',
'type': 'Vulnerability Disclosure',
'vulnerability_exploited': ['Stack-based buffer overflow (Libbiosig)',
'Out-of-bounds read (Grassroot DICOM)',
'Undisclosed flaws (Smallstep step-ca)']}