Critical Libbiosig, DiCoM, and Step-CA Flaws Expose Healthcare

Executive Summary

Three widely deployed open-source components—in biomedical processing, medical imaging, and certificate authority infrastructure—have been found vulnerable to critical exploits, including zero-days. These newly reported vulnerabilities in Libbiosig, Grassroot DiCoM, and Smallstep's step-ca expose healthcare systems and certificate issuance to potential compromise. Unpatched deployments could lead to arbitrary code execution, data leakage, and unauthorized certificate creation. CISOs across health tech, cloud infrastructure, and enterprise environments must assess exposure immediately. This is a priority alert that belongs on every security team’s daily briefing.

What Happened

Cisco Talos has disclosed multiple high-severity vulnerabilities across three projects:

• Libbiosig: An open-source biomedical signal processing library suffered from multiple stack-based buffer overflows in its MFER parser. These vulnerabilities (CVE-2025-66043 through CVE-2025-66048) allow remote attackers to trigger arbitrary code execution by submitting crafted MFER files.
• Grassroot DiCoM: A lightweight medical imaging library had three out-of-bounds read bugs (CVE-2025-53618, CVE-2025-53619, CVE-2025-48429) that could be exploited to leak sensitive heap data using malicious DICOM files. These are currently active zero-days.
• Smallstep step-ca: This lightweight certificate authority tool has a critical auth bypass flaw (CVE-2025-44005), which allows unauthorized certificate generation via ACME or SCEP requests.

While Libbiosig and step-ca have received patches, DiCoM's vulnerabilities remain unpatched and thus pose an immediate threat. Detection rules are available for Snort users, and Cisco Talos has published detailed advisories.

Why This Matters for CISOs

The convergence of biomedical data, imaging systems, and certificate infrastructure presents a perfect storm of cybersecurity risk:

• Regulatory Risk: PHI exposure or tampered medical device inputs may lead to HIPAA or GDPR violations.
• Operational Disruption: Exploitation could disrupt critical diagnostics and research workflows.
• Supply Chain Threat: These tools are dependencies in broader software stacks—downstream risk is real and easily overlooked.
• Trust Erosion: The step-ca vulnerability undermines certificate-based trust models, particularly in ACME-based deployments.

CISOs must recognize the strategic implications of these vulnerabilities and prioritize cross-departmental action from IT to compliance.

Threat & Risk Analysis

Attack Vectors

• Libbiosig: Exploitation involves uploading a crafted MFER file (text format for ECG/EEG data) to any system using libbiosig v3.9.1 or earlier.
• DiCoM: Malicious DICOM files can be ingested via web frontends, storage gateways, or imaging pipelines, triggering out-of-bounds reads.
• Step-CA: An attacker can exploit insecure ACME or SCEP provisioners to generate unauthorized certificates, perfect for man-in-the-middle impersonation.

Exposure Scenarios

• Healthcare Systems: PACS systems, biometric monitors, research platforms using Libbiosig or DiCoM libraries are at immediate risk.
• DevOps & CI/CD Pipelines: Automated certificate provisioning flows using step-ca can be hijacked to issue rogue certs.
• Cloud Services: Cloud-native certificate issuance that relies on vulnerable step-ca ACME configurations may grant unauthorized access.

Supply Chain Relevance

• These libraries are commonly found in packaged medical and security appliances, SDKs, and open-source distributions. A single vulnerable component can propagate through hospital systems, vendor UIs, and digital health integrators.

Attacker Motivations

• Data Exfiltration: Exploiting DiCoM to leak sensitive diagnostic metadata.
• Code Execution / Persistence: Libbiosig buffer overflows can grant footholds on research hosts.
• Trust Subversion: Unauthorized certs from step-ca can intercept sensitive device or server communications.

Enterprise Impact

• Integrity Violations: Impacts on medical AI systems if bad data is introduced.
• Availability Risks: Exploitation could crash medical imaging software or backend CA services.
• Reputational Damage: Issuing forged certificates or medical file leaks could severely impact institutional trust.

For added defensive context, review our comprehensive patch management strategy and stay informed via daily cyber threat briefings.

MITRE ATT&CK Mapping

• T1190 — Exploit Public-Facing Application
  All three vulnerabilities can be triggered remotely via exposed services.
• T1027 — Obfuscated Files or Information
  Malicious MFER and DICOM files can be crafted to evade detection and parsing logic.
• T1087.002 — Account Manipulation: Domain Accounts
  Unauthorized cert issuance via step-ca can lead to domain impersonation.
• T1552 — Unsecured Credentials
  Heap data leakage through DiCoM may expose patient files or tokens.
• T1606 — Forge Web Credentials
  Abuse of unauthorized certificates enables phishing and session hijack.

Key Implications for Enterprise Security

• Attackers now have new pathways to exploit healthcare and certificate infrastructure.
• Zero-days in DiCoM remain unpatched—real-time telemetry is vital for detection.
• Step-ca misuse can silently compromise certificate trust chains.
• Threat actors may already be testing malware delivery through these vectors.

Recommended Defenses & Actions

Immediate (0–24h)

• Patch libbiosig and step-ca to latest versions where fixes are available.
• Disable or isolate vulnerable DiCoM usage in production environments.
• Deploy updated Snort signatures from Cisco Talos to detect exploits.
• Monitor for anomalous certificate issuances in CA logs.

Short Term (1–7 days)

• Conduct a dependency audit for Libbiosig and DiCoM across endpoints and backend software.
• Introduce file upload sanitization for MFER and DICOM ingestion routes.
• Enforce certificate issuance policies with mutual auth and tighter scope for step-ca provisioners.
• Validate healthcare vendor software components for vulnerable versions.

Strategic (30 days)

• Mandate SBOM (Software Bill of Materials) review in vendor procurement.
• Integrate routine static code analysis and fuzz testing for 3rd-party libs.
• Establish a certificate transparency log monitor for step-ca deployments.
• Expand threat modeling to include medical device libraries and CA pipelines.

Conclusion

The vulnerabilities in Libbiosig, Grassroot DiCoM, and Smallstep step-ca highlight the hidden risk within niche yet critical infrastructure libraries. As attackers increasingly probe unconventional entry points, these flaws show how seemingly esoteric components can ripple across vital healthcare and security ecosystems. CISOs must treat these as more than routine patches—they signal a trend toward sophisticated, lateral exploitation strategies. Incorporate this insight into your daily briefing and align your teams to act decisively before these vulnerabilities are weaponized more widely. Subscribe to our daily threat updates to maintain situational awareness and defensive readiness.