HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Heap Overflow Vulnerability Discovered in Orthanc DICOM Server Allows Remote Code Execution

Cisco Talos researchers uncovered a heap‑overflow flaw in the open‑source Orthanc DICOM server that can be triggered by a crafted DICOM file, potentially granting attackers remote code execution on PACS systems. The issue impacts healthcare imaging infrastructure and any third‑party solutions that embed Orthanc or related DICOM libraries.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 blog.talosintelligence.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
blog.talosintelligence.com

Heap Overflow Vulnerability Discovered in Orthanc DICOM Server Allows Remote Code Execution

What Happened — Researchers at Cisco Talos published a deep‑dive showing a heap‑overflow flaw in the open‑source Orthanc DICOM server. By sending a crafted DICOM file, an attacker can trigger an out‑of‑bounds write during image ingestion, potentially achieving remote code execution on the PACS host.

Why It Matters for TPRM

  • Critical imaging infrastructure (PACS) can be compromised, exposing patient data and disrupting clinical workflows.
  • Third‑party DICOM libraries (pydicom, GDCM) are widely embedded in vendor solutions, expanding the attack surface across many health‑tech partners.
  • Exploitation does not require authentication; any network‑exposed upload endpoint is a viable entry point.

Who Is Affected — Healthcare providers, medical imaging vendors, cloud‑hosted PACS services, and any organization that integrates Orthanc or dependent DICOM parsing libraries.

Recommended Actions

  • Inventory all third‑party services that run Orthanc or embed pydicom/GDCM.
  • Apply vendor‑provided patches or upgrade to the latest Orthanc release that mitigates the heap overflow.
  • Enforce strict validation of inbound DICOM files; consider sandboxing the ingestion pipeline.
  • Review network segmentation to limit exposure of image upload interfaces.

Technical Notes — The flaw is a classic heap overflow triggered by malformed DICOM tags, leading to an out‑of‑bounds write in the Orthanc image processing routine. No CVE has been assigned yet, but the proof‑of‑concept demonstrates full RCE on the host. Affected data includes any patient imaging studies stored on the compromised server. Source: Cisco Talos Blog

📰 Original Source
https://blog.talosintelligence.com/dicom-pydicom-gdcm-and-orthanc-a-technical-tour-of-what-really-happens-in-the-heap/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →