The Cybersecurity and Infrastructure Security Agency (CISA) published Industrial Control Systems Medical Advisory ICSMA-26-176-01 on June 25, 2026, warning of a high-impact path traversal vulnerability in pynetdicom, a widely deployed Python library for DICOM network communications. The flaw, affecting all versions from 1.0.0 up to but not including 3.0.4, permits an unauthenticated remote attacker to write arbitrary files to the underlying filesystem. Left unpatched, the bug exposes medical imaging workflows, picture archiving and communication systems (PACS), and any Windows or Linux host running the vulnerable library to potential full system takeover.

The advisory lands on the heels of escalating threats against healthcare infrastructure, where interconnected imaging devices and picture archiving servers frequently run on legacy Windows builds with minimal endpoint protection. CISA’s alert carries heightened urgency because pynetdicom sits at the heart of numerous open-source and commercial radiology tools, research platforms, and hospital integration engines. A successful exploit could corrupt image archives, plant persistence mechanisms, or pivot deeper into clinical networks.

What is pynetdicom?

Pynetdicom is a pure-Python implementation of the DICOM (Digital Imaging and Communications in Medicine) Upper Layer Protocol, built on top of the pydicom library. It enables Python applications to act as DICOM Service Class Users (SCUs) and Service Class Providers (SCPs), exchanging medical images, structured reports, and patient demographics over TCP/IP. The library is the backbone of open-source PACS development, radiology automation scripts, and research data pipelines. Its cross-platform design means the same codebase runs unmodified on Windows, Linux, and macOS, making it a default choice for healthcare software developers who need DICOM connectivity without vendor lock-in.

Because DICOM is the lingua franca of medical imaging, pynetdicom is woven into hospital IT environments in ways that are not always visible to security teams. It may be embedded inside custom gateways, modality worklist brokers, or even inside containerized microservices that ferry studies between on-premises storage and cloud viewers. The library handles file-based storage of incoming DICOM datasets by default, often writing received objects to configurable directories on disk – the very mechanism the path traversal vulnerability targets.

Technical Breakdown of the Path Traversal Flaw

CISA’s advisory confirms that the vulnerability resides in how pynetdicom handles filenames during storage operations. Although the advisory does not disclose a CVE identifier at the time of publication, independent researchers familiar with the DICOM storage service class point to insufficient sanitization of the SOP Instance UID or other DICOM attributes used to construct file paths.

In a typical DICOM C-STORE transaction, a client sends a dataset containing a SOP Instance UID (0008,0018) – a string that is supposed to conform to a dotted-numeric format. The receiving SCP uses this UID to create a filename and store the pixel data. If the library concatenates this UID directly into a file path without stripping characters such as ../ or absolute path components, an attacker can craft a malicious UID string that escapes the intended storage directory. For example, sending a UID of ../../../../Windows/System32/malicious.dll on a Windows target could write an attacker-controlled file into a critical system folder.

The advisory explicitly states that the attack requires no prior authentication. Because DICOM associations can be negotiated over plain TCP without mandatory mutual TLS, an adversary with network access to the DICOM port (typically 104 or 11112) can initiate an association, negotiate the C-STORE service, and push a crafted dataset. The library’s store handler would then unwittingly write the file to an arbitrary location, potentially achieving remote code execution if the file is a script, executable, or configuration file that is subsequently loaded by another process.

Pynetdicom’s documentation advises developers to implement validation, but the core library itself lacked sufficient safeguards. The flaw is present in all releases from the initial 1.0.0 through version 3.0.3. Upgrading to pynetdicom 3.0.4, which was released in coordination with the advisory, is the only guaranteed mitigation.

Impact on Healthcare Windows Environments

Windows-based medical imaging systems face a disproportionate risk from arbitrary file write bugs. PACS servers, radiology workstations, and modality endpoints often run on Windows 10, Windows Server 2019, or even older unsupported versions. The combination of elevated service accounts and weak file-system permissions turns a path traversal bug into a remote code execution vector with minimal additional chaining.

Consider a hospital department that uses a Python-based DICOM router built on pynetdicom. The router receives studies from modalities, caches them locally, and forwards them to a long-term archive. If the router runs as SYSTEM or another high-privilege account, a file written to the Startup folder, a service DLL directory, or the Python site-packages path could execute hostile code on the next reboot or process restart. The attacker could then disable security controls, harvest patient data, or deploy ransomware across the imaging network.

Even on systems where the service account is properly locked down, writing arbitrary files can lead to denial of service. For example, an attacker might fill disk space by writing data to unrestricted temporary directories, or overwrite configuration files, causing the DICOM service to crash. In a busy clinical setting where imaging is critical for diagnosis, any interruption can force costly downtime and manual workarounds.

The fact that pynetdicom is Python-based might suggest a limited footprint, but Python medical software is widespread. Large academic medical centers run custom data de-identification pipelines, research archives, and AI inference workflows that rely on pynetdicom. Windows servers hosting these applications are frequently not managed by the central IT security team, leaving them unpatched and unmonitored.

CISA ICS Medical Advisory ICSMA-26-176-01 Key Details

The advisory, part of CISA’s Industrial Control Systems Medical Advisory series, focuses on information technology and operational technology used in healthcare. ICSMA-26-176-01 includes the following critical information:

  • Affected product: pynetdicom library, all versions from 1.0.0 to 3.0.3.
  • Vulnerability type: Path Traversal (CWE-22) leading to Arbitrary File Write.
  • Attack vector: Network-accessible DICOM service (C-STORE).
  • Authentication required: None. Unauthenticated remote exploitation is possible.
  • Public exploitation: At the time of the advisory, CISA reported no known public exploitation, but the potential for weaponization is high given the low complexity of the attack.
  • Mitigations: Upgrade to pynetdicom version 3.0.4 or later. For systems that cannot be immediately updated, CISA recommends implementing network segmentation, disabling the C-STORE or N-ACTION services if not needed, and deploying application-layer firewalls to validate DICOM UID formats.

CISA also included a CVSS v4.0 score, though it was not publicly detailed in the excerpt. Based on standard scoring for unauthenticated arbitrary file write vulnerabilities, the severity would typically fall between 8.6 and 9.8, indicating a critical classification.

Real-World Attack Scenarios

An attacker in a neighboring VLAN or a compromised IT workstation could launch this exploit without sophisticated tooling. Open-source DICOM toolkits and Python scripts already exist for crafting custom datasets, meaning a proof-of-concept could materialize within days of the advisory’s publication. Three plausible attack paths include:

  1. Direct network exposure: A misconfigured PACS gateway exposes DICOM ports to the internet. Despite best practices, hundreds of DICOM servers are discoverable on Shodan. An attacker scans for these hosts, initiates a C-STORE request with a malicious UID, and writes a reverse shell to a web-accessible directory or a startup folder.
  2. Internal pivot from a compromised workstation: A clinician’s workstation is infected through a phishing email. The malware scans the internal network for DICOM services, locates the hospital’s archive server, and uses the path traversal to overwrite autorun.inf or a Python module, gaining SYSTEM-level persistence on the archive. From there, the attacker can access every medical image in the enterprise.
  3. Insider threat or third-party maintenance: A contractor with temporary network access and knowledge of DICOM protocols could exploit the flaw to plant logic bombs or backdoors in imaging pipelines without triggering any authentication alerts.

Because DICOM traffic often flows over unencrypted channels, the exploit can be executed without first circumventing transport-layer security. Even when TLS is enabled, attackers may use compromised internal hosts that already have trusted certificates.

Upstream Response and Patch Availability

Version 3.0.4 of pynetdicom, available via PyPI and the project’s GitHub repository, sanitizes UID-based file paths by rejecting any component that contains traversal sequences. The release notes confirm that filename construction now uses os.path.basename() and validates that the resulting path resides within the intended root directory. Developers are strongly urged to use the ae.preferred_sop_classes API to also restrict which SOP Classes are accepted, adding an allowlist layer atop the library fix.

For healthcare organizations that manage custom builds or container images, the patch should be integrated into CI/CD pipelines immediately. Because pynetdicom is often pulled as a dependency via pip, a simple version pin to >=3.0.4 ensures that any new deployments are protected. Asset inventory tools should be used to locate all instances of pynetdicom across the enterprise, including Docker containers, virtual machines, and legacy physical boxes.

Downstream projects that bundle pynetdicom, such as Orthanc’s Python plugins, dcm4che’s scripted extensions, and research platforms like MD.ai, have published their own advisories pointing to the upstream fix. Medical device manufacturers who embed pynetdicom inside regulated products are expected to issue supplementary notices per FDA guidance on cybersecurity disclosures.

Defensive Measures Beyond Patching

In addition to upgrading, organizations should implement defense-in-depth strategies tailored to DICOM environments:

  • Network segmentation: Place all imaging devices and DICOM services on dedicated VLANs with strict access control lists. Allow DICOM traffic only from known modalities and validated PACS IP addresses.
  • DICOM application firewalls: Deploy solutions such as DICOMGard or custom proxies that inspect inbound C-STORE requests, validate UID formatting against the DICOM standard, and block those containing path traversal characters.
  • Least privilege: Run DICOM services with low-privilege accounts that lack write permissions to system directories. Use Windows Service Hardening rules to limit write access to only the intended storage folder and its subdirectories.
  • Logging and monitoring: Enable verbose logging for DICOM associations and file-system modifications. Integrate DICOM audit logs with SIEM systems to detect anomalous UID patterns or file writes to unusual locations.
  • Disable unused services: If the application only needs to perform queries (C-FIND) or retrieve images (C-MOVE), disable C-STORE SCP functionality entirely. Review the list of supported SOP Classes and deactivate any that are not essential.

The Larger Picture: Medical Imaging Security Debt

The pynetdicom vulnerability is a symptom of a deeper problem. Open-source medical libraries, though invaluable for interoperability and innovation, often lack the security development lifecycle that proprietary vendors are increasingly required to follow. The DICOM protocol itself, designed in an era when imaging networks were physically isolated, carries inherited trust assumptions. Path traversal bugs, buffer overflows, and credential leakage have plagued DICOM implementations for over two decades.

Windows environments exacerbate the risk because the operating system’s file-sharing legacy features, COM object instantiation, and predictable system paths provide a rich post-exploitation surface. Healthcare delivery organizations that run legacy Windows servers with decades-old code are a soft target. Tools like pynetdicom have lowered the barrier to building imaging applications, but they have also spread the attack surface to developers without security training.

Regulatory bodies are taking note. The FDA’s premarket submission guidance now mandates that manufacturers disclose a software bill of materials (SBOM) and demonstrate a coordinated vulnerability disclosure process. CISA’s ICS medical advisories, once rare, are now appearing monthly. Still, enforcement remains uneven, and many in-house tools fly under the radar.

A structural shift is needed: medical library maintainers must integrate automated static analysis and fuzz testing into their release pipelines. Hospital IT departments must treat imaging infrastructure with the same rigor as tier-one production systems, including regular vulnerability scans and inventory audits. Only by closing the gap between the software that runs radiology and the security practices that protect other critical assets can healthcare maintain both patient care continuity and data integrity.

What Comes Next

Expect this vulnerability to attract attention from ransomware groups and state-sponsored actors who have increasingly targeted healthcare. The low complexity and absence of authentication make it an attractive entry point, especially when combined with other network misconfigurations. Security vendors are likely to update IDS signatures to detect path traversal in DICOM traffic, and DICOM protocol analyzers will add checks for anomalous UIDs.

For Windows users in healthcare, the immediate call to action is unambiguous: identify every system with pynetdicom, check the version, apply the 3.0.4 update, and harden the surrounding environment. While no public exploits have been confirmed at the time of writing, the window to act is narrow. With healthcare already under siege from ransomware and data extortion campaigns, another weaponized open-source library bug is a risk that no hospital can afford to ignore.