CISA has published an Industrial Control System (ICS) Medical Advisory highlighting multiple critical vulnerabilities in Pixmeo’s OsiriX MD software, affecting versions 14.0.1 and earlier. These vulnerabilities include two “Use After Free” flaws and a cleartext transmission issue that could allow remote attackers to exploit the system with low complexity. If successfully exploited, these flaws could lead to memory corruption, denial-of-service conditions, or unauthorized access to user credentials transmitted without encryption via the OsiriX MD Web Portal. The most severe vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) v4 score of 9.3. Reported by researchers at TXOne Networks, these issues pose a significant risk to the healthcare and public health sectors. CISA and Pixmeo strongly urge users to update to the latest version of OsiriX MD and implement recommended cybersecurity practices such as isolating critical systems, using secure remote access solutions, and being vigilant against phishing and social engineering attacks. While no public exploitation has been reported to date, organizations should proactively assess their exposure and apply appropriate mitigations. For more details, refer to the ICS Advisory and CVE Information Page.