Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious server triggers traversal during the client's C-GET with no auth or interaction beyond initiating retrieval; primitive is arbitrary file write, giving I:H and A:H with no direct confidentiality read.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.
AnalysisAI
Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim DCMTK client (a) initiate a C-GET retrieval and (b) be operating in bit-preserving storage mode - that storage mode is the exact feature that disables safe filename normalization and is the named precondition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 base score is 9.3 (Critical) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, indicating network reachability, low complexity, no privileges and no user interaction, with high impact to confidentiality, integrity and availability of the vulnerable client. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up or compromises a DICOM server (C-STORE SCP) that a hospital's DCMTK-based client queries using bit-preserving C-GET. When the client retrieves images, the malicious server returns objects whose storage paths contain ../ sequences or absolute paths, causing the client to write attacker-supplied files such as a cron job, startup script, or config file outside the intended directory. … |
| Remediation | Upgrade DCMTK to the fixed upstream release referenced at https://github.com/DCMTK/dcmtk/releases/tag/latest; the references point to a release tag rather than a specific semantic version, so the released patched version is not independently confirmed from the input - confirm the exact fixed version against the CISA advisory ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running OFFIS DCMTK with C-GET functionality; restrict network access to DICOM servers from an approved whitelist only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dcmtk Toolkit
View allPath traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist record
Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash t
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40422
GHSA-rmv2-5p78-8fvq