Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-3484

CVE-2025-3484: MedDream PACS Server RCE Vulnerability

CVE-2025-3484 is a critical stack-based buffer overflow RCE vulnerability in MedDream PACS Server that allows unauthenticated attackers to execute arbitrary code. This article covers technical details, impact, and mitigations.

Updated:

CVE-2025-3484 Overview

CVE-2025-3484 is a stack-based buffer overflow [CWE-121] in MedDream PACS Server that allows unauthenticated remote code execution. The flaw exists in the parsing of Digital Imaging and Communications in Medicine (DICOM) files, where the server fails to validate the length of user-supplied data before copying it into a fixed-length stack buffer. Attackers can exploit this issue over the network without authentication or user interaction. Successful exploitation grants code execution in the context of the PACS service account, which typically runs with elevated privileges on medical imaging infrastructure. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-25853 and assigned advisory ZDI-25-242.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on MedDream PACS Server installations by sending a malformed DICOM file, compromising medical imaging systems and patient data.

Affected Products

  • MedDream PACS Server (Premium edition)
  • All versions prior to the vendor-supplied patch
  • Deployments exposing DICOM parsing services to untrusted networks

Discovery Timeline

  • 2025-05-22 - CVE-2025-3484 published to the National Vulnerability Database
  • 2025-07-11 - Last updated in NVD database
  • Vulnerability tracked by Zero Day Initiative as ZDI-CAN-25853, published as advisory ZDI-25-242

Technical Details for CVE-2025-3484

Vulnerability Analysis

The vulnerability resides in the DICOM file parsing logic of MedDream PACS Server. DICOM is the standard format for medical imaging files exchanged between picture archiving and communication systems (PACS), modalities, and viewers. When the server processes an incoming DICOM file, parsing routines copy attribute data from the file into stack-allocated buffers of fixed size. The parser does not verify that the length of the incoming field is less than or equal to the destination buffer capacity. An oversized field overwrites adjacent stack memory, including the saved return address and any structured exception handler records on Windows builds. This produces a classic stack smashing condition exploitable for arbitrary code execution.

Root Cause

The root cause is missing input length validation prior to a memory copy operation, classified as [CWE-121] Stack-based Buffer Overflow. The parser trusts length or string fields provided in the DICOM data set without bounds checking. Because DICOM tags can carry attacker-controlled values of arbitrary length, a crafted file forces the copy operation to exceed the destination buffer.

Attack Vector

The attack is network-reachable and requires no authentication or user interaction. An attacker submits a malicious DICOM file to the PACS server through any ingestion path the service exposes, such as the DICOM C-STORE protocol over TCP, a web upload interface, or an HTTP API endpoint. When the server parses the file, the overflow triggers and the attacker obtains code execution as the PACS service account. From that foothold, an adversary can access stored medical images, pivot deeper into the hospital network, or stage ransomware. Verified proof-of-concept code is not publicly available, but the Zero Day Initiative advisory confirms exploitability.

For technical details, see the Zero Day Initiative Advisory ZDI-25-242.

Detection Methods for CVE-2025-3484

Indicators of Compromise

  • PACS service process crashes or unexpected restarts coinciding with inbound DICOM file processing
  • Child processes spawned from the MedDream PACS service binary, especially shells, scripting interpreters, or cmd.exe
  • DICOM files containing oversized tag values, malformed Value Representation (VR) fields, or anomalous element lengths
  • Outbound network connections from the PACS service account to unfamiliar external hosts following DICOM ingestion

Detection Strategies

  • Inspect DICOM ingestion logs for files with abnormally large attribute lengths or parsing errors followed by service crashes
  • Apply network detection rules on DICOM ports (commonly TCP 104, 11112) to flag oversized C-STORE request payloads
  • Correlate stack-based crash events from the PACS host with file ingestion timestamps to identify exploitation attempts
  • Monitor endpoint telemetry for process lineage anomalies originating from the PACS service binary

Monitoring Recommendations

  • Enable verbose application and crash logging on the PACS server and forward events to a centralized SIEM
  • Baseline normal DICOM traffic volume and sender identity, then alert on deviations such as new external senders
  • Track filesystem writes by the PACS service account, particularly to directories outside its expected working paths
  • Monitor authentication events and lateral movement attempts originating from the PACS host account

How to Mitigate CVE-2025-3484

Immediate Actions Required

  • Apply the vendor-supplied patch for MedDream PACS Server as soon as it becomes available from MedDream
  • Restrict network access to DICOM listener ports so only authorized modalities and workstations can submit studies
  • Place the PACS server behind a segmented network zone with strict ingress filtering from clinical networks only
  • Run the PACS service under a least-privilege account to limit the blast radius of successful exploitation

Patch Information

MedDream has been notified through the Zero Day Initiative coordinated disclosure process. Administrators should consult the Zero Day Initiative Advisory ZDI-25-242 and the MedDream vendor portal for the corrected build number and upgrade instructions. Verify the version after patching to confirm the fix is applied.

Workarounds

  • Disable external exposure of DICOM ingestion endpoints and require VPN or mutual TLS for remote sender access
  • Use an application-layer proxy or DICOM gateway that validates element lengths before forwarding files to the PACS server
  • Allowlist DICOM sender Application Entity (AE) titles and source IP addresses on the PACS server configuration
  • Enable host-based exploit mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard on the PACS host
bash
# Example: restrict DICOM port 11112 to authorized modality subnet on Windows
netsh advfirewall firewall add rule name="PACS DICOM Allow Modalities" ^
  dir=in action=allow protocol=TCP localport=11112 ^
  remoteip=10.20.30.0/24
netsh advfirewall firewall add rule name="PACS DICOM Block Other" ^
  dir=in action=block protocol=TCP localport=11112

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne