Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-56445: DICOM qrscp Path Traversal Enables Arbitrary File Write
CVE-2026-56445: DICOM qrscp Path Traversal Enables Arbitrary File Write

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-56445

CVE-2026-56445: DICOM qrscp Path Traversal Enables Arbitrary File Write

A critical path traversal vulnerability in the qrscp DICOM application allows unauthenticated attackers to write files to arbitrary server paths via...

Dylan H.

Security Team

June 26, 2026
5 min read

Affected Products

  • qrscp (pynetdicom) — unpatched versions

Executive Summary

CVE-2026-56445 is a critical path traversal vulnerability (CVSS 9.1) in the qrscp DICOM application. The C-STORE request handler passes an attacker-supplied instance UID from a crafted DICOM dataset directly into os.path.join() without sanitization, allowing a remote unauthenticated attacker to write files to arbitrary paths on the server filesystem.

Medical imaging infrastructure running affected qrscp deployments is at risk of complete server compromise through malicious file writes.

AttributeValue
CVE IDCVE-2026-56445
CVSS Score9.1 (Critical)
TypePath Traversal / Arbitrary File Write
Componentqrscp C-STORE handler
Attack VectorNetwork
AuthenticationNone required
User InteractionNone
PublishedJune 25, 2026

Vulnerability Details

Root Cause

The qrscp application's C-STORE handler — the DICOM protocol component that receives and stores medical image objects — uses a specific instance UID extracted from attacker-supplied DICOM datasets to construct a file path:

# Vulnerable pattern (simplified)
file_path = os.path.join(storage_dir, instance_uid)

Because instance_uid is taken directly from the incoming DICOM dataset without sanitization, an attacker can craft a dataset where the instance UID contains path traversal sequences (e.g., ../../../../etc/cron.d/backdoor). The os.path.join() call honours these sequences, allowing the resulting write to land outside the intended storage directory at any location writable by the process.

Attack Scenario

1. Attacker identifies exposed qrscp DICOM listener (default port 104/11112)
2. Attacker crafts a DICOM C-STORE request with malicious instance UID:
   e.g., Instance UID = "../../etc/cron.d/rce"
3. qrscp processes the C-STORE: os.path.join(storage_dir, "../../etc/cron.d/rce")
4. File is written to /etc/cron.d/rce containing a reverse shell payload
5. Cron executes the payload — attacker gains OS-level code execution

Why DICOM Is Particularly Risky

  • DICOM port 104 is often internet-exposed in healthcare environments lacking proper network segmentation
  • No authentication by default — the DICOM protocol itself requires no auth for C-STORE operations in basic configurations
  • Process typically runs with elevated privileges to write to storage directories
  • Healthcare targets are high-value for ransomware groups and nation-state actors due to the sensitivity of patient data

Affected Software

SoftwareComponentStatus
qrscp (pynetdicom)C-STORE handlerVulnerable — patch status pending

DICOM-capable software using the qrscp application as a storage SCP (Service Class Provider) is affected. Organizations running pynetdicom-based DICOM listeners should audit their deployments immediately.


Immediate Remediation

Priority Actions

  1. Audit all DICOM listener configurations — identify any qrscp-based deployments exposed to untrusted networks
  2. Apply vendor patches — check the pynetdicom GitHub repository for a fix and apply immediately
  3. Restrict DICOM port access — firewall rules should limit TCP 104/11112 to known DICOM peer IP addresses only
  4. Run qrscp as a least-privilege user — ensure the process cannot write outside its designated storage directory
  5. Monitor for unexpected file creation — audit file system activity on DICOM storage servers

Interim Mitigations (If Patching Is Delayed)

# Restrict DICOM port to known peer IPs only (example: iptables)
iptables -A INPUT -p tcp --dport 104 -s <trusted-pacs-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 104 -j DROP
 
# Run qrscp in a chroot or containerized environment
# Ensure the service account cannot write outside /dicom/storage/

Detection

Indicators of Exploitation

IndicatorDescription
DICOM C-STORE requests with .. in instance UIDsPath traversal attempt
Unexpected files outside DICOM storage directorySuccessful exploitation
New cron jobs, SSH authorized_keys modificationsPost-exploitation persistence
Outbound network connections from DICOM serverC2 communications

Log Monitoring

Audit DICOM application logs for instance UIDs containing traversal characters (.., /, \). Any such request should be treated as an active exploitation attempt and investigated immediately.


Impact Assessment

A successful exploit against an unprotected qrscp deployment enables:

  • Arbitrary file overwrite — attacker can overwrite system files, configuration, or application code
  • Cron/init persistence — write cron jobs or systemd units for persistent backdoor access
  • Web shell deployment — if a web server is running, write PHP/ASPX web shells to the web root
  • Data exfiltration setup — modify existing services to exfiltrate patient records or credentials
  • Ransomware staging — pre-position ransomware payloads before detonation

Healthcare environments storing Protected Health Information (PHI) face significant HIPAA breach notification obligations in addition to the operational impact.


Key Takeaways

  1. CVSS 9.1 Critical — Path traversal via unsanitized os.path.join() in DICOM C-STORE handler
  2. No authentication required — any network-reachable DICOM listener is at risk
  3. Healthcare environments are primary targets — DICOM servers are often poorly segmented
  4. Patch immediately and firewall DICOM ports to known-trusted peers
  5. Monitor for anomalous file creation on DICOM storage servers as an exploitation indicator

References

  • NVD — CVE-2026-56445
  • pynetdicom GitHub Repository
  • DICOM Security Best Practices — HIMSS
  • CISA Healthcare Cybersecurity Guide
#CVE-2026-56445#DICOM#Path Traversal#Healthcare Security#pynetdicom#File Write#NVD

Related Articles

CVE-2026-14198: Fastify Middie Middleware Path Bypass (CVSS 9.1)

Critical path bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 allows attackers to evade middleware protection by exploiting a %2F...

5 min read

CVE-2026-57331: Critical Arbitrary File Deletion in Paid Videochat Turnkey Site

A CVSS 9.9 critical vulnerability in the Paid Videochat Turnkey Site WordPress plugin allows authenticated performer-role users to delete arbitrary files...

4 min read

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read
Back to all Security Alerts