CVE-2018-25374 Overview
CVE-2018-25374 is a directory traversal vulnerability [CWE-22] in Softneta MedDream PACS Server Premium 6.7.1.1. The flaw resides in the nocache.php endpoint, which fails to sanitize the path parameter. Unauthenticated attackers send encoded backslash sequences to escape the intended directory and read arbitrary files. Targets include system configuration files and password files on the host operating system. MedDream PACS is medical imaging software used by healthcare providers to store and view DICOM studies. Exposure of the server allows remote attackers to retrieve sensitive data without credentials, creating risk for patient data confidentiality and broader system compromise.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from the MedDream PACS host, including operating system configuration and password files.
Affected Products
- Softneta MedDream PACS Server Premium 6.7.1.1
- nocache.php request handler
- Deployments exposing the PACS web interface to untrusted networks
Discovery Timeline
- 2026-05-25 - CVE-2018-25374 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2018-25374
Vulnerability Analysis
The vulnerability is a path traversal flaw classified under [CWE-22]. The nocache.php script accepts a user-controlled path parameter and uses it to locate a file on disk. The handler does not normalize the input or restrict access to an allowed base directory. Attackers supply encoded backslash traversal sequences to navigate outside the web root. The server then returns the contents of the requested file in the HTTP response.
Because the endpoint requires no authentication, exploitation succeeds with a single crafted HTTP request. Targets include /etc/passwd on Linux hosts and Windows configuration files such as win.ini or boot.ini. Attackers can also harvest application configuration files containing database credentials, API keys, and DICOM storage paths. Retrieved credentials enable lateral movement into adjacent healthcare systems and DICOM archives storing protected health information.
Root Cause
The root cause is missing input validation on the path parameter in nocache.php. The script concatenates attacker-supplied input into a file system path without canonicalizing the result or enforcing an allowlist of permitted directories. Encoded backslash sequences bypass any naive string filtering applied to forward slashes.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends an HTTP request to nocache.php with the path parameter populated with directory traversal sequences pointing at the target file. The vulnerability mechanism is documented in Exploit-DB #45347 and the VulnCheck Advisory on SoftNeta. No verified sanitized exploitation code is reproduced here.
Detection Methods for CVE-2018-25374
Indicators of Compromise
- HTTP requests to nocache.php containing encoded backslash sequences such as %5C..%5C or repeated .. path components in the path parameter
- Web server access logs showing successful 200 responses to nocache.php requests referencing files outside the application directory
- Outbound responses from the PACS server containing contents of /etc/passwd, /etc/shadow, or Windows system files
Detection Strategies
- Inspect web server and reverse proxy logs for nocache.php requests with traversal patterns in query strings
- Deploy web application firewall rules that block URL-encoded and double-encoded traversal sequences targeting the PACS endpoint
- Correlate unauthenticated access to nocache.php with subsequent anomalous file reads on the host file system
Monitoring Recommendations
- Forward PACS server access logs to a centralized logging platform for retention and analysis
- Alert on any external source addresses interacting with nocache.php outside expected clinical workflows
- Monitor for credential reuse following suspicious PACS traffic, particularly database and service account logins
How to Mitigate CVE-2018-25374
Immediate Actions Required
- Restrict network access to the MedDream PACS Server so only authorized clinical workstations can reach the web interface
- Place the PACS server behind a reverse proxy or web application firewall that blocks traversal patterns in HTTP parameters
- Audit web server logs for prior exploitation attempts referencing nocache.php and rotate any credentials stored on the host
Patch Information
Upgrade Softneta MedDream PACS Server Premium beyond version 6.7.1.1. Refer to the SoftNeta MedDream PACS Download page for current releases and review the VulnCheck Advisory on SoftNeta for vendor remediation guidance.
Workarounds
- Block external access to nocache.php at the network or reverse proxy layer until the host is upgraded
- Run the PACS service under a low-privilege account that cannot read sensitive operating system files such as /etc/shadow
- Apply WAF signatures that decode URL and backslash escapes before matching traversal patterns in request parameters
# Example NGINX rule to block traversal patterns on the vulnerable endpoint
location = /nocache.php {
if ($args ~* "(\.\./|\.\.\\|%2e%2e|%5c|%2f)") {
return 403;
}
proxy_pass http://meddream_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
