Back to Intelligence

OFFIS DCMTK Vulnerabilities: Protecting Medical Imaging Systems from Exploitation

SA
Security Arsenal Team
July 1, 2026
10 min read

Introduction

A quintet of vulnerabilities has been identified in the OFFIS DCMTK (DICOM Toolkit), a critical component widely used in medical imaging software across healthcare institutions. These vulnerabilities pose a significant risk to the confidentiality, integrity, and availability of medical imaging systems and, by extension, patient data protected under HIPAA.

For security practitioners in healthcare, this isn't just another vulnerability bulletin—it's a direct threat to clinical operations and patient safety. Medical imaging systems often run on specialized software with extended lifecycles and challenging patch requirements, making them attractive targets for threat actors.

The OFFIS DCMTK toolkit is a cornerstone library for implementing the DICOM standard in medical imaging applications. Vulnerabilities here can ripple through entire healthcare networks, affecting multiple vendors and systems simultaneously. Given the widespread adoption of DCMTK in both commercial and open-source medical imaging solutions, these vulnerabilities deserve immediate attention from healthcare security teams.

Technical Analysis

Affected Products and Scope

The vulnerabilities impact the OFFIS DCMTK toolkit, which is embedded in numerous commercial medical imaging products, including:

  • Picture Archiving and Communication Systems (PACS)
  • Radiology Information Systems (RIS)
  • Medical imaging modalities (CT, MRI, X-ray, ultrasound)
  • DICOM viewers and analysis tools
  • Healthcare integration engines

The specific affected versions of DCMTK would be detailed in the official vendor advisory. Healthcare organizations should assume widespread impact across their medical imaging ecosystem until proven otherwise through vendor communication and vulnerability assessment.

Vulnerability Overview

The quintet of vulnerabilities identified in DCMTK includes potential issues that could lead to:

  • Remote code execution (RCE)
  • Denial of service (DoS)
  • Information disclosure
  • Privilege escalation

While specific technical details are emerging, the vulnerabilities are understood to reside in how DCMTK processes DICOM data streams. This includes:

  • Network parsing of DICOM objects
  • Memory management during image handling
  • Association negotiation protocols
  • Data decompression routines

Exploitation Requirements

While technical details vary across the five vulnerabilities, exploitation generally requires:

  • Network access to DICOM services (typically TCP port 104)
  • Ability to send malformed DICOM data to the vulnerable system
  • In some cases, prior authentication may not be required

This is particularly concerning as DICOM services are often exposed within healthcare networks for legitimate clinical workflows, creating a broad attack surface. The fact that DICOM traffic often traverses network segments with relaxed security controls further amplifies the risk.

Exploitation Status

As of this reporting, confirm specific details about in-the-wild exploitation by monitoring threat intelligence feeds, vendor advisories, and CISA alerts. Given the high value of medical data and the typically poor security posture of many medical devices, healthcare organizations should assume active scanning and potential exploitation attempts are imminent, even if no public exploit code exists yet.

Detection & Response

Sigma Rules

YAML
---
title: Unusual DICOM Service Process Spawn
id: 8a4f3c9d-2b5e-4f8a-9c1d-3e5f6a7b8c9d
status: experimental
description: Detects DICOM service processes spawning unexpected child processes that may indicate exploitation
references:
  - https://www.hipaajournal.com/offis-dcmtk-vulnerabilities-june-2026/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    ParentImage|contains:
      - '\dcmqrscp.exe'
      - '\dcmrecv.exe'
      - '\storescp.exe'
      - '\movescu.exe'
      - '\findscu.exe'
  suspicious_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: parent and suspicious_child
falsepositives:
  - Administrative troubleshooting of DICOM services
level: high
---
title: Suspicious DICOM Network Traffic Patterns
id: 7b3e2d8c-1a4f-3e7b-8b0d-2d4e5f6a7b8c
status: experimental
description: Detects anomalous DICOM network connections that may indicate exploitation attempts
references:
  - https://www.hipaajournal.com/offis-dcmtk-vulnerabilities-june-2026/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 104
    Initiated: 'true'
  anomaly:
    SourceIp|startswith:
      - '192.168.'
      - '10.'
      - '172.'
  condition: selection and not anomaly
falsepositives:
  - Legitimate DICOM communications from trusted medical devices
level: medium
---
title: Anomalous DICOM Service Command-Line Arguments
id: 6c2d1b7a-0a3e-2d6a-7a9c-1c3d4e5f6a7b
status: experimental
description: Detects DCMTK-based services executing with unusual command-line arguments
references:
  - https://www.hipaajournal.com/offis-dcmtk-vulnerabilities-june-2026/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1203
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\dcmqrscp.exe'
      - '\dcmrecv.exe'
      - '\storescp.exe'
      - '\movescu.exe'
      - '\findscu.exe'
  anomaly:
    CommandLine|contains:
      - '-exec'
      - '-c'
      - '/c'
      - ';'
      - '|'
      - '&'
  condition: selection and anomaly
falsepositives:
  - Administrative troubleshooting of DICOM services
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unusual DICOM network connections
let DICOMPorts = dynamic([104, 11112, 2762, 5000]);
DeviceNetworkEvents
| where DestinationPort in (DICOMPorts)
| where RemoteUrl == ""  // Exclude web traffic
| extend IsInternal = iff(
  ipv4_is_in_range(SourceIP, "10.0.0.0/8") or 
  ipv4_is_in_range(SourceIP, "172.16.0.0/12") or 
  ipv4_is_in_range(SourceIP, "192.168.0.0/16"),
  true,
  false
)
| where not(IsInternal) or InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, DestinationPort, 
  InitiatingProcessFileName, InitiatingProcessCommandLine, IsInternal
| order by TimeGenerated desc

// Hunt for suspicious process executions related to DCMTK applications
let DCMTKProcesses = dynamic(["dcmqrscp.exe", "dcmrecv.exe", "storescp.exe", "movescu.exe", "findscu.exe"]);
DeviceProcessEvents
| where InitiatingProcessFileName has_any (DCMTKProcesses) 
   or FileName has_any (DCMTKProcesses)
| extend IsSuspiciousChild = iff(
  FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "reg.exe", "net.exe"),
  true,
  false
)
| where IsSuspiciousChild
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, 
  InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for DCMTK-related processes with suspicious child processes
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Child.Pid, Child.Name, 
       Child.CommandLine, Child.Username, Child.CreateTime
FROM chain(pid=pslist())
WHERE Parent.Name =~ 'dcmqrscp' 
   OR Parent.Name =~ 'dcmrecv'
   OR Parent.Name =~ 'storescp'
   OR Parent.Name =~ 'movescu'
   OR Parent.Name =~ 'findscu'
   AND Child.Name =~ 'powershell'
   OR Child.Name =~ 'cmd'
   OR Child.Name =~ 'wscript'
   OR Child.Name =~ 'cscript'

-- Check for network connections on DICOM ports from suspicious processes
SELECT Pid, RemoteAddress, RemotePort, State, Family, Process.Name
FROM netstat()
WHERE RemotePort IN (104, 11112, 2762, 5000)
   AND Process.Name !~ 'dcmqrscp'
   AND Process.Name !~ 'dcmrecv'
   AND Process.Name !~ 'storescp'
   AND Process.Name !~ 'movescu'

-- Look for recent file modifications in DCMTK-related directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:/Program Files/**/*dcmtk*/**', globs='C:/Program Files (x86)/**/*dcmtk*/**')
WHERE Mtime > now() - 7d

Remediation Script (PowerShell)

PowerShell
# DCMTK Vulnerability Assessment and Remediation Script
# Run with elevated privileges on Windows-based medical imaging systems

Write-Host "Starting DCMTK Vulnerability Assessment..." -ForegroundColor Cyan

# Function to check for DCMTK installations
function Find-DCMTKInstallations {
    $searchPaths = @(
        "${env:ProgramFiles}",
        "${env:ProgramFiles(x86)}",
        "${env:LOCALAPPDATA}",
        "${env:APPDATA}",
        "C:\"
    )
    
    $dcmtkFound = @()
    
    foreach ($path in $searchPaths) {
        if (Test-Path $path) {
            $results = Get-ChildItem -Path $path -Recurse -Filter "dcmqrscp.exe" -ErrorAction SilentlyContinue | 
                       Select-Object -ExpandProperty Directory -ErrorAction SilentlyContinue
            if ($results) {
                foreach ($result in $results) {
                    if ($dcmtkFound -notcontains $result.FullName) {
                        $dcmtkFound += $result.FullName
                    }
                }
            }
        }
    }
    
    return $dcmtkFound
}

# Function to check DCMTK version
function Get-DCMTKVersion {
    param(
        [string]$InstallPath
    )
    
    $versionFile = Join-Path -Path $InstallPath -ChildPath "VERSION" -ErrorAction SilentlyContinue
    if (Test-Path $versionFile) {
        return Get-Content -Path $versionFile -Raw -ErrorAction SilentlyContinue
    }
    
    $readmeFile = Join-Path -Path $InstallPath -ChildPath "README*" -ErrorAction SilentlyContinue
    if (Test-Path $readmeFile) {
        $readmeContent = Get-Content -Path $readmeFile -Raw -ErrorAction SilentlyContinue
        if ($readmeContent -match "version\s+(\d+\.\d+\.\d+)") {
            return $matches[1]
        }
    }
    
    # Try to get version from executable
    $exes = Get-ChildItem -Path $InstallPath -Filter "*.exe" -ErrorAction SilentlyContinue
    foreach ($exe in $exes) {
        try {
            $versionInfo = (Get-Item $exe.FullName).VersionInfo
            if ($versionInfo.FileVersion) {
                return $versionInfo.FileVersion
            }
        } catch {
            # Ignore errors when getting version info
        }
    }
    
    return "Unknown"
}

# Find DCMTK installations
Write-Host "Scanning for DCMTK installations..." -ForegroundColor Yellow
$dcmtkInstallations = Find-DCMTKInstallations

if ($dcmtkInstallations.Count -eq 0) {
    Write-Host "No DCMTK installations found." -ForegroundColor Green
} else {
    Write-Host "Found $($dcmtkInstallations.Count) DCMTK installation(s):" -ForegroundColor Yellow
    
    foreach ($install in $dcmtkInstallations) {
        $version = Get-DCMTKVersion -InstallPath $install
        Write-Host "  - Path: $install" -ForegroundColor White
        Write-Host "    Version: $version" -ForegroundColor White
        
        # Check for running DCMTK processes
        $processes = Get-Process | Where-Object { $_.Path -like "$install*" }
        if ($processes) {
            Write-Host "    WARNING: Running processes detected!" -ForegroundColor Red
            foreach ($proc in $processes) {
                Write-Host "      - $($proc.Name) (PID: $($proc.Id))" -ForegroundColor White
            }
        } else {
            Write-Host "    No running processes detected." -ForegroundColor Green
        }
    }
}

# Check for network listeners on DICOM ports
Write-Host "`nChecking for DICOM network listeners..." -ForegroundColor Yellow
$dicomPorts = @(104, 11112, 2762, 5000)
$netstatResults = netstat -ano | Select-String -Pattern "LISTENING"

foreach ($port in $dicomPorts) {
    $listeners = $netstatResults | Where-Object { $_ -match ":$port\s+" }
    if ($listeners) {
        Write-Host "WARNING: Active listener on DICOM port $port" -ForegroundColor Red
        $listeners | ForEach-Object {
            $parts = $_ -split "\s+"
            $pid = $parts[$parts.Length - 1]
            $process = Get-Process -Id $pid -ErrorAction SilentlyContinue
            if ($process) {
                Write-Host "  - Process: $($process.Name) ($($process.Path))" -ForegroundColor White
                Write-Host "    PID: $pid" -ForegroundColor White
            }
        }
    } else {
        Write-Host "No active listeners on DICOM port $port" -ForegroundColor Green
    }
}

# Provide remediation recommendations
Write-Host "`n=== REMEDIATION RECOMMENDATIONS ===" -ForegroundColor Cyan
Write-Host "1. Contact your medical imaging software vendor for updated versions addressing the DCMTK vulnerabilities" -ForegroundColor White
Write-Host "2. Apply vendor-provided patches following clinical change management procedures" -ForegroundColor White
Write-Host "3. If patches are unavailable, implement network segmentation to restrict DICOM port access" -ForegroundColor White
Write-Host "4. Monitor for suspicious activity on DICOM ports and DCMTK processes" -ForegroundColor White
Write-Host "5. Review and restrict unnecessary DICOM associations" -ForegroundColor White
Write-Host "6. Ensure DICOM services run with minimal required privileges" -ForegroundColor White
Write-Host "7. Implement application whitelisting for DCMTK-based applications" -ForegroundColor White

Write-Host "`nAssessment complete." -ForegroundColor Cyan

Remediation

Immediate Actions

  1. Vendor Engagement: Contact your medical imaging software vendors (PACS, RIS, modality vendors) to determine if their products use the vulnerable DCMTK toolkit and if patches or mitigations are available.

  2. Inventory Assessment: Conduct a thorough inventory of all medical imaging systems in your environment that may utilize DCMTK. This includes:

    • PACS servers and workstations
    • Modality workstations (CT, MRI, X-ray, etc.)
    • Third-party DICOM viewers
    • Integration engines and HL7/DICOM gateways
  3. Network Segmentation: Implement or reinforce network segmentation around medical imaging systems:

    • Restrict DICOM port (104) access to only authorized clinical systems
    • Implement VLAN separation for medical device networks
    • Deploy firewall rules to limit DICOM traffic to known IP addresses
  4. Monitoring: Enhance monitoring of DICOM services:

    • Alert on any unexpected DICOM association attempts
    • Monitor for unusual process spawning from DICOM applications
    • Baseline normal DICOM traffic patterns and alert on deviations

Vendor Patches

Apply vendor-provided patches following your organization's clinical change management procedures. Medical imaging systems often require coordination with vendors for patching to ensure clinical workflows are not disrupted. Document all patching activities for HIPAA compliance purposes.

Temporary Mitigations

If patches are not immediately available:

  1. Restrict DICOM Network Access: Limit inbound DICOM associations to known, authenticated clinical workstations only. Implement IP-based access controls on firewalls protecting medical imaging networks.

  2. Implement Application Controls: Use application whitelisting to prevent unauthorized code execution from DCMTK-based applications. Windows Defender Application Control (WDAC) or similar solutions can be effective.

  3. Review DICOM Association Settings: Ensure DICOM services are configured with strict association negotiation and only support necessary DICOM SOP classes. Disable any unused DICOM network services.

  4. Least Privilege: Verify DICOM services are running with minimal required privileges (avoid running as Administrator or root on Linux systems).

  5. Network-Based Controls: Implement network intrusion prevention systems (NIPS) capable of detecting and blocking known exploit patterns for DICOM services.

Long-term Recommendations

  1. Medical Device Security Program: Establish or strengthen your medical device security program with specific focus on DICOM infrastructure. Include DCMTK-based systems in your regular vulnerability assessment cycles.

  2. Contractual Requirements: Incorporate security requirements into vendor contracts, including specific timelines for vulnerability remediation and notification of security issues.

  3. Regular Vulnerability Scanning: Implement regular scanning of medical imaging networks (with vendor approval) to identify vulnerable components. Prioritize systems based on clinical impact and exposure.

  4. Cybersecurity Framework Alignment: Ensure your response aligns with NIST CSF, CIS Controls, and HIPAA Security Rule requirements. Document all response activities for compliance purposes.

  5. Threat Intelligence Integration: Subscribe to threat intelligence feeds specific to healthcare and medical device security to receive timely alerts about emerging vulnerabilities and exploitation campaigns.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachdicomdcmtkmedical-imaging

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.