{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5663/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5663"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","dcmtk","cve-2026-5663","storescp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-5663, affects OFFIS DCMTK (Dicom ToolKit) versions up to 3.7.0. The vulnerability is located within the \u003ccode\u003estorescp\u003c/code\u003e application, specifically in the \u003ccode\u003eexecuteOnReception\u003c/code\u003e and \u003ccode\u003eexecuteOnEndOfStudy\u003c/code\u003e functions of the \u003ccode\u003edcmnet/apps/storescp.cc\u003c/code\u003e file. An attacker can exploit this flaw by manipulating input parameters processed by these functions, leading to arbitrary OS command execution on the server. Remote exploitation is possible, making this a critical issue for systems utilizing vulnerable DCMTK versions. Applying the patch edbb085e45788dccaf0e64d71534cfca925784b8, available on the DCMTK GitHub repository, is the recommended course of action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable OFFIS DCMTK instance running \u003ccode\u003estorescp\u003c/code\u003e exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DICOM request containing specially crafted parameters designed to exploit the command injection vulnerability in the \u003ccode\u003eexecuteOnReception\u003c/code\u003e or \u003ccode\u003eexecuteOnEndOfStudy\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estorescp\u003c/code\u003e application receives the malicious DICOM request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eexecuteOnReception\u003c/code\u003e or \u003ccode\u003eexecuteOnEndOfStudy\u003c/code\u003e functions process the attacker-controlled parameters without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application attempts to execute a system command using the unsanitized input, injecting attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes arbitrary commands on the underlying operating system with the privileges of the \u003ccode\u003estorescp\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read sensitive files, modify system configurations, or execute malicious binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system or pivots to other internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5663 can lead to complete compromise of the affected system. This allows an attacker to execute arbitrary commands, potentially leading to data theft, denial of service, or further propagation within the network. The healthcare sector, which relies heavily on DICOM for medical imaging, is particularly at risk. Unpatched DCMTK instances expose sensitive patient data and critical infrastructure to potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch \u003ccode\u003eedbb085e45788dccaf0e64d71534cfca925784b8\u003c/code\u003e from the DCMTK GitHub repository to remediate CVE-2026-5663 immediately.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from or directed to DCMTK servers, specifically looking for unusual command execution patterns (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data processed by DCMTK applications to prevent command injection vulnerabilities in the future.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:16Z","date_published":"2026-04-06T15:17:16Z","id":"/briefs/2026-04-dcmtk-command-injection/","summary":"A remote command injection vulnerability exists in OFFIS DCMTK version 3.7.0 and earlier due to insufficient input sanitization in the `storescp` application, potentially allowing unauthenticated attackers to execute arbitrary OS commands.","title":"OFFIS DCMTK Command Injection Vulnerability (CVE-2026-5663)","url":"https://feed.craftedsignal.io/briefs/2026-04-dcmtk-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5663","version":"https://jsonfeed.org/version/1.1"}