Dcmtk — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/dcmtk/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 15:17:16 +0000OFFIS DCMTK Command Injection Vulnerability (CVE-2026-5663)https://feed.craftedsignal.io/briefs/2026-04-dcmtk-command-injection/Mon, 06 Apr 2026 15:17:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dcmtk-command-injection/A remote command injection vulnerability exists in OFFIS DCMTK version 3.7.0 and earlier due to insufficient input sanitization in the `storescp` application, potentially allowing unauthenticated attackers to execute arbitrary OS commands.A command injection vulnerability, identified as CVE-2026-5663, affects OFFIS DCMTK (Dicom ToolKit) versions up to 3.7.0. The vulnerability is located within the storescp application, specifically in the executeOnReception and executeOnEndOfStudy functions of the dcmnet/apps/storescp.cc file. An attacker can exploit this flaw by manipulating input parameters processed by these functions, leading to arbitrary OS command execution on the server. Remote exploitation is possible, making this a critical issue for systems utilizing vulnerable DCMTK versions. Applying the patch edbb085e45788dccaf0e64d71534cfca925784b8, available on the DCMTK GitHub repository, is the recommended course of action.

Attack Chain

  1. An attacker identifies a vulnerable OFFIS DCMTK instance running storescp exposed on the network.
  2. The attacker crafts a malicious DICOM request containing specially crafted parameters designed to exploit the command injection vulnerability in the executeOnReception or executeOnEndOfStudy functions.
  3. The storescp application receives the malicious DICOM request.
  4. The vulnerable executeOnReception or executeOnEndOfStudy functions process the attacker-controlled parameters without proper sanitization.
  5. The application attempts to execute a system command using the unsanitized input, injecting attacker-supplied code.
  6. The injected code executes arbitrary commands on the underlying operating system with the privileges of the storescp process.
  7. The attacker gains the ability to read sensitive files, modify system configurations, or execute malicious binaries.
  8. The attacker establishes persistence on the system or pivots to other internal resources.

Impact

Successful exploitation of CVE-2026-5663 can lead to complete compromise of the affected system. This allows an attacker to execute arbitrary commands, potentially leading to data theft, denial of service, or further propagation within the network. The healthcare sector, which relies heavily on DICOM for medical imaging, is particularly at risk. Unpatched DCMTK instances expose sensitive patient data and critical infrastructure to potential attacks.

Recommendation

  • Apply the patch edbb085e45788dccaf0e64d71534cfca925784b8 from the DCMTK GitHub repository to remediate CVE-2026-5663 immediately.
  • Monitor network traffic for suspicious activity originating from or directed to DCMTK servers, specifically looking for unusual command execution patterns (see Sigma rule below).
  • Implement input validation and sanitization for all user-supplied data processed by DCMTK applications to prevent command injection vulnerabilities in the future.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
]]>highadvisorycommand-injectiondcmtkcve-2026-5663storescp