Introduction
Healthcare security teams are on high alert following the disclosure of a high-severity vulnerability affecting the OHIF (Open Health Imaging Foundation) Viewer. This widely used, zero-footprint web application is integral to modern PACS (Picture Archiving and Communication Systems), enabling radiologists and clinicians to view DICOM images via a browser.
The vulnerability, identified recently, poses a significant risk of Protected Health Information (PHI) theft. Given the reliance on interoperability in healthcare, this flaw provides a potential vector for unauthorized actors to exfiltrate sensitive medical imagery and patient data. Defenders must act immediately to identify instances of OHIF Viewers within their environments and enforce strict segmentation and access controls while patches are evaluated and deployed.
Technical Analysis
Affected Products and Platforms
The vulnerability targets the OHIF Viewer, a React-based, open-source medical imaging platform. It is commonly deployed in conjunction with DICOMweb servers (such as Orthanc, dcm4che, or Google Healthcare API) to render imaging studies.
- Platform: Web-based (Client-side JavaScript application)
- Affected Component: DICOM data handling and viewer interface logic
- Deployment: Typically hosted behind Nginx, Apache, or integrated into cloud-based VNA (Vendor Neutral Archives).
Vulnerability Mechanics
While specific CVE identifiers are pending publication, the vulnerability is characterized as a high-severity issue allowing for data theft. In the context of web-based DICOM viewers, this typically involves:
- Insecure Direct Object References (IDOR) or Broken Access Control: The flaw may allow unauthenticated or under-privileged users to retrieve specific Study Instance UIDs or Series Instance UIDs without proper authorization checks on the backend DICOMweb service.
- Client-Side Logic Manipulation: Attackers may manipulate the JavaScript state or API calls to the DICOMweb endpoints (WADO-RS or QIDO-RS) to bulk-download studies they are not authorized to view.
Exploitation Status
Intelligence indicates this vulnerability is currently under active review by the security community. In healthcare environments where OHIF is exposed to the internet without a VPN or Zero Trust access layer, the risk of active scanning and exploitation is elevated.
Detection & Response
Detecting exploitation of web-based application logic flaws requires a focus on behavioral analytics within web logs and backend server telemetry. Defenders should hunt for anomalous access patterns to DICOM endpoints.
Sigma Rules
The following Sigma rules detect suspicious access patterns indicative of DICOM data exfiltration attempts via the OHIF viewer or its backend services.
---
title: Potential Bulk DICOM Data Exfiltration via WADO-RS
id: 8c2d0e4f-1a3b-4c5d-9e6f-7a8b9c0d1e2f
status: experimental
description: Detects high-volume retrieval of DICOM instances (studies/series) consistent with bulk data exfiltration via WADO-RS endpoints.
references:
- https://www.hipaajournal.com/high-severity-vulnerability-identified-in-ohif-viewers-dicom/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: webserver
product: apache
detection:
selection:
cs-uri-query|contains:
- '/studies/'
- '/series/'
- '/instances/'
filter:
sc-status: 200
timeframe: 5m
condition: selection and filter | count() > 100
falsepositives:
- Legitimate bulk access by radiology workstations or AI inference pipelines
level: high
---
title: Suspicious User-Agent Accessing OHIF DICOM Endpoints
id: 9d3e1f5a-2b4c-5d6e-0f1a-8b9c0d1e2f3a
status: experimental
description: Identifies access to OHIF DICOM endpoints from non-standard or automated user-agents, indicating potential scanning or tooling.
references:
- https://www.hipaajournal.com/high-severity-vulnerability-identified-in-ohif-viewers-dicom/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: nginx
detection:
selection_uri:
cs-uri-stem|contains:
- '/ohif'
- '/wado-rs'
- '/qido-rs'
selection_ua:
cs-user-agent|contains:
- 'python-requests'
- 'curl'
- 'scanner'
- 'bot'
condition: all of selection_*
falsepositives:
- Legitimate integration testing or authorized API access
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt query identifies abnormal spikes in data transfer volume from the web server hosting the DICOM viewer, a key indicator of bulk PHI exfiltration.
let baseline = DeviceNetworkEvents
| where RemotePort == 443 and RemoteUrl has_any("ohif", "dicom", "pacs")
| project SentBytes, Timestamp
| summarize AvgBytes = avg(SentBytes), StdDev = stdev(SentBytes) by bin(Timestamp, 1h);
DeviceNetworkEvents
| where RemotePort == 443 and RemoteUrl has_any("ohif", "dicom", "pacs")
| extend Hour = bin(Timestamp, 1h)
| join kind=inner baseline on Hour
| where SentBytes > (AvgBytes + (3 * StdDev)) // Detecting spikes > 3 standard deviations
| project Timestamp, DeviceName, InitiatingProcessAccount, RemoteUrl, SentBytes, AvgBytes
| sort by Timestamp desc
Velociraptor VQL
This artifact hunts for unexpected child processes spawned by the web server service, which could indicate exploitation leading to Remote Code Execution (RCE) or web shell activity.
-- Hunt for suspicious processes spawned by web services hosting OHIF
SELECT Pid, Name, CommandLine, Exe, Username, ParentPid
FROM pslist()
WHERE ParentPid IN (
SELECT Pid
FROM pslist()
WHERE Name =~ "node" OR Name =~ "python" OR Name =~ "apache2" OR Name =~ "nginx"
)
AND NOT Name =~ ParentPid -- Avoid self-referencing loops
AND (
Name =~ "sh" OR
Name =~ "bash" OR
Name =~ "powershell" OR
Name =~ "cmd" OR
Name =~ "curl" OR
Name =~ "wget"
)
Remediation Script (Bash)
This script assists Linux administrators in auditing the deployed version of OHIF and checking for recent unauthorized modifications to the viewer directory.
#!/bin/bash
# OHIF Viewer Hardening and Audit Script
# Author: Security Arsenal
# Date: 2026
echo "[*] Initiating OHIF Viewer Security Audit..."
# 1. Identify OHIF Installation Directory (Common paths)
OHIF_PATHS=("/var/www/html/ohif" "/usr/share/nginx/html/ohif" "/opt/ohif-viewer")
FOUND_PATH=""
for path in "${OHIF_PATHS[@]}"; do
if [ -d "$path" ]; then
FOUND_PATH="$path"
echo "[+] Found OHIF installation at: $FOUND_PATH"
break
fidone
if [ -z "$FOUND_PATH" ]; then
echo "[-] OHIF installation not found in default paths. Please check manually."
exit 1
fi
# 2. Check package. for version integrity
echo "[*] Verifying package. integrity..."
if [ -f "$FOUND_PATH/package." ]; then
# In a real scenario, hash this against a known good value
echo "[+] package. exists. Review version for updates:"
grep -E "'(version|name)'.*ohif" "$FOUND_PATH/package." || echo "Could not parse version."
else
echo "[!] WARNING: package. not found. Install may be corrupted."
fi
# 3. Check for recent file modifications (Last 24 hours)
echo "[*] Checking for files modified in the last 24 hours..."
find "$FOUND_PATH" -type f -mtime -1 -ls
# 4. Audit Web Server Permissions
echo "[*] Checking directory permissions..."
PERMS=$(stat -c "%a" "$FOUND_PATH")
if [ "$PERMS" != "755" ] && [ "$PERMS" != "750" ]; then
echo "[!] WARNING: Unusual permissions detected on $FOUND_PATH: $PERMS"
else
echo "[+] Permissions appear standard ($PERMS)."
fi
echo "[*] Audit complete. Review findings and apply vendor patches immediately."
Remediation
Immediate defensive actions are required to mitigate the risk of PHI theft associated with this vulnerability.
-
Patch Management:
- Monitor the Official OHIF Foundation GitHub Repository for security advisories and release updates.
- Upgrade to the latest patched version of the OHIF Viewer immediately upon availability.
-
Network Segmentation & Access Control:
- Ensure the OHIF Viewer and its associated DICOMweb endpoints are not directly accessible from the public internet.
- Enforce access through a Zero Trust Network Access (ZTNA) solution or VPN requiring Multi-Factor Authentication (MFA).
- Restrict backend DICOM port traffic (typically port 11112 or 104) to trusted IP addresses only.
-
WAF Configuration:
- Update Web Application Firewall (WAF) rules to block access to
/instances/,/series/, or/studies/endpoints if they are not strictly required for the workflow, or enforce strict rate limiting to prevent bulk scraping.
- Update Web Application Firewall (WAF) rules to block access to
-
Audit and Log Review:
- Conduct a retroactive review of web server logs for the past 30 days, looking for high-volume requests to DICOM endpoints from unusual IP addresses or User-Agents.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.