MicroDicom Releases DICOM Viewer Software Update

Two vulnerabilities could allow an attacker to corrupt the memory of the application or execute arbitrary code

Threat ID:: CC-4650
Threat Severity:: Medium
Published:: 6 May 2025 2:45 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Two vulnerabilities could allow an attacker to corrupt the memory of the application or execute arbitrary code

Affected platforms

The following platforms are known to be affected:

Versions: 2025.01 (Build 3321) and earlier

MicroDicom DICOM Viewer

Threat details

Introduction

The US Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) Medical Advisory for a vulnerability found in MicroDicom DICOM Viewer. DICOM Viewer is an application for primary processing and preservation of medical images in DICOM format.

CVE-2025-35975 has a CVSSv3 base score of 8.8 and is an 'out-of-bounds write' vulnerability, which means that the product writes data past the end, or before the beginning, of the intended buffer. An attacker could execute arbitrary code (ACE) by convincing a user to open a malicious DCM file.
CVE-2025-36521 has a CVSSv3 base score of 8.8 and is an 'out-of-bounds read' vulnerability, which means that the product reads data past the end, or before the beginning, of the intended buffer. An attacker could exploit this vulnerability to cause memory corruption within the application by convincing a user to open a malicious DCM file.

Remediation advice

Affected organisations are encouraged to review the CISA advisory ICSMA-25-121-01, which recommends updating MicroDicom DICOM Viewer to version 2025.2 and taking the following defensive actions to minimise the risk of exploitation of these vulnerabilities:

Minimise network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), while recognising VPNs may have vulnerabilities and should be updated to the most current version available.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-35975

MicroDicom DICOM Viewer is vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code. The user must open a malicious DCM file for exploitation.

Status Published

CVE-2025-36521

MicroDicom DICOM Viewer is vulnerable to an out-of-bounds read which may allow an attacker to cause memory corruption within the application. The user must open a malicious DCM file for exploitation.

Last edited: 6 May 2025 2:45 pm