CVE-2026-5663 Overview
A command injection vulnerability has been discovered in OFFIS DCMTK up to version 3.7.0. This security flaw impacts the executeOnReception and executeOnEndOfStudy functions within the file dcmnet/apps/storescp.cc of the storescp component. An attacker can manipulate input to achieve OS command injection, and remote exploitation of this vulnerability is possible.
Critical Impact
Remote attackers can inject and execute arbitrary operating system commands on systems running vulnerable versions of DCMTK's storescp application, potentially leading to complete system compromise in healthcare imaging environments.
Affected Products
- OFFIS DCMTK up to 3.7.0
- storescp component (dcmnet/apps/storescp.cc)
- Systems using DCMTK for DICOM medical imaging communications
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-5663 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5663
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Command Injection), which occurs when untrusted data is used to construct commands that are then executed by the system. The storescp application is a DICOM storage service class provider commonly used in healthcare environments for receiving and storing medical images.
The vulnerable functions executeOnReception and executeOnEndOfStudy in storescp.cc failed to properly sanitize filename inputs before passing them to system execution contexts. This allowed attackers to craft malicious filenames containing shell metacharacters that would be interpreted as commands when processed.
Root Cause
The root cause stems from insufficient input sanitization in the filename handling routines. Prior to the patch, the OFStandard::sanitizeFilename() function only replaced path separator characters with underscores, leaving other dangerous characters such as semicolons, pipes, backticks, and shell metacharacters intact. These unsanitized characters could be leveraged to break out of the intended command context and inject arbitrary OS commands.
Attack Vector
The vulnerability is exploitable remotely via the network. An attacker can send specially crafted DICOM data to a vulnerable storescp instance with malicious filenames containing command injection payloads. When the application processes these files using the executeOnReception or executeOnEndOfStudy callback functions, the injected commands are executed with the privileges of the storescp process.
The following patch demonstrates how the vulnerability was addressed by implementing comprehensive input sanitization:
}
+static const char sanitized_filename_charset[] =
+{
+ ' ', '_', '_', '_', '_', '_', '_', '_', '_', '_', '_', '_', '_', '-', '.', '_',
+ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '_', '_', '_', '_', '_',
+ '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O',
+ 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '_', '_', '_', '_', '_',
+ '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
+ 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '_', '_', '_', '_', '_'
+};
+
+
void OFStandard::sanitizeFilename(OFString& fname)
{
const size_t len = fname.length();
+ char c;
for (size_t i = 0; i < len; ++i)
{
-#ifdef _WIN32
- if ((fname[i] == PATH_SEPARATOR) || (fname[i] == '/')) fname[i] = '_';
-#else
- if (fname[i] == PATH_SEPARATOR) fname[i] = '_';
-#endif
+ c = fname[i];
+ if (c != 0 && (c < 32 || c >= 127)) c = '_'; else c = sanitized_filename_charset[c-32];
+ fname[i] = c;
}
}
Source: GitHub Commit Update
The patch implements a whitelist-based approach using a character mapping table that replaces all potentially dangerous characters with underscores, allowing only alphanumeric characters, spaces, hyphens, periods, colons, and the @ symbol.
Detection Methods for CVE-2026-5663
Indicators of Compromise
- Unusual process spawning from storescp processes, particularly shell interpreters (bash, sh, cmd.exe)
- Unexpected network connections originating from DCMTK storescp service processes
- DICOM files with filenames containing shell metacharacters such as ;, |, `, $(), or &
- Anomalous system calls or command executions correlated with DICOM storage operations
Detection Strategies
- Monitor storescp processes for child process creation that deviates from normal DICOM storage operations
- Implement network intrusion detection rules to identify DICOM traffic containing suspicious filename patterns
- Review storescp logs for unusual filename entries or processing errors
- Deploy file integrity monitoring on directories where storescp stores received DICOM files
Monitoring Recommendations
- Enable verbose logging on storescp instances to capture incoming connection details and filename processing
- Implement process behavior monitoring using SentinelOne Singularity to detect command injection attempts
- Configure alerts for storescp processes executing unexpected binaries or scripts
- Monitor network traffic for DICOM associations from untrusted sources
How to Mitigate CVE-2026-5663
Immediate Actions Required
- Update OFFIS DCMTK to a patched version that includes commit edbb085e45788dccaf0e64d71534cfca925784b8
- Restrict network access to storescp services using firewall rules to allow only trusted DICOM nodes
- Review and audit any custom exec scripts configured with --exec-on-reception or --exec-on-eostudy options
- Implement network segmentation to isolate DICOM services from general network traffic
Patch Information
The vulnerability has been addressed in the DCMTK codebase through commit edbb085e45788dccaf0e64d71534cfca925784b8. This patch modifies the OFStandard::sanitizeFilename() function in ofstd/libsrc/ofstd.cc to implement comprehensive character filtering using a whitelist approach. Organizations should apply this patch or upgrade to a DCMTK version that includes this fix. Refer to the DCMTK Issue Report for additional details.
Workarounds
- Disable the --exec-on-reception and --exec-on-eostudy options if they are not operationally required
- Implement additional input validation at the network perimeter for incoming DICOM traffic
- Run storescp with minimal privileges using a dedicated service account with restricted permissions
- Deploy application-level firewalls or proxies that can inspect and sanitize DICOM protocol traffic
# Configuration example - Run storescp with restricted options
# Disable exec callbacks and run with minimal privileges
storescp --config-file storescp.cfg \
--output-directory /var/dcmtk/incoming \
--no-halt \
104
# Ensure storescp runs as unprivileged user
# In systemd service file:
# User=dcmtk
# Group=dcmtk
# NoNewPrivileges=true
# ProtectSystem=strict
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
