pydicom pynetdicom Library

Plan PatchCVSS 9.1ICS-CERT ICSMA-26-176-01Jun 25, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

pynetdicom library versions 1.0.0 through 3.0.3 contain a path traversal vulnerability (CWE-22) that allows an unauthenticated attacker to write to arbitrary file paths on the system where pynetdicom is running. The vulnerability is exploited through the network interface without authentication or user interaction.

What this means

What could happen

An attacker could overwrite critical configuration files, application binaries, or system files on any computer running vulnerable pynetdicom, potentially disabling the application, corrupting medical imaging workflows, or gaining persistent control of affected systems.

Who's at risk

Healthcare facilities, medical imaging centers, and any organization deploying pynetdicom for DICOM protocol handling in medical imaging applications (Picture Archiving and Communication Systems, radiology workstations, imaging servers, diagnostic equipment). Any non-medical application using pynetdicom for network-based file transfer is also at risk.

How it could be exploited

An attacker sends crafted DICOM (medical imaging) protocol messages over the network to a system running vulnerable pynetdicom. The attacker includes path traversal sequences (e.g., "../../../") in file path fields within the DICOM messages. The vulnerable library processes these messages and writes files to attacker-specified locations on the filesystem without proper validation, allowing arbitrary file overwrites.

Prerequisites

Network connectivity to the system running pynetdicom (typically port 104 for DICOM services)
Target system must be running pynetdicom version 1.0.0 through 3.0.3
Application must be actively listening for DICOM connections

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)arbitrary file write capabilityaffects medical imaging systems

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

pynetdicom: >=v1.0.0|<v3.0.4≥ v1.0.0|<v3.0.4Fix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to DICOM service ports (typically port 104) to only trusted medical imaging devices and systems using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade pynetdicom to version 3.0.4 or later

Long-term hardening

0/1

HARDENINGSegment medical imaging systems onto a dedicated network separate from general IT infrastructure and untrusted networks

CVEs (1)

CVE-2026-56445

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4cd778ee-9402-404d-bc95-23117b929988

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.