Login Sign Up

CVE-2022-2120

7.5 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability in OFFIS DCMTK's service class user (SCU) allows attackers to write DICOM files to arbitrary directories via relative path traversal. This could lead to remote code execution by placing malicious files in system locations. All versions prior to 3.6.7 are affected.

💻 Affected Systems

Products:
  • OFFIS DCMTK
Versions: All versions prior to 3.6.7
Operating Systems: All platforms running DCMTK
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the service class user (SCU) component specifically. Systems using DCMTK for medical imaging processing are at risk.

📦 What is this software?

Dcmtk by Offis

View all CVEs affecting Dcmtk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with system-level privileges, allowing complete compromise of affected systems and potential lateral movement within networks.

🟠

Likely Case

Unauthorized file writes leading to data manipulation, denial of service, or privilege escalation through crafted DICOM files.

🟢

If Mitigated

Limited to unauthorized file writes in controlled directories without execution capabilities.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access to the SCU service and knowledge of DICOM protocols, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.7

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsma-22-174-01

Restart Required: Yes

Instructions:

1. Download DCMTK version 3.6.7 or later from official sources. 2. Stop all DCMTK services. 3. Backup configuration files. 4. Install the updated version. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to DCMTK SCU services to trusted sources only.

iptables -A INPUT -p tcp --dport 104 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 104 -j DROP

File System Restrictions

all

Configure DCMTK to run with minimal file system permissions and use chroot/jail environments.

chown -R dcmtk_user:dcmtk_group /var/lib/dcmtk
chmod 750 /var/lib/dcmtk

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to the DCMTK SCU service.
  • Monitor file system activity for unauthorized writes and implement file integrity monitoring.

🔍 How to Verify

Check if Vulnerable:

Check DCMTK version with 'dcmtk --version' or examine installed package version. Versions below 3.6.7 are vulnerable.

Check Version:

dcmtk --version

Verify Fix Applied:

Confirm version is 3.6.7 or higher using 'dcmtk --version'. Test SCU functionality with controlled DICOM transfers.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in DCMTK logs
  • Path traversal patterns in DICOM request logs
  • Failed file access attempts outside expected directories

Network Indicators:

  • Unusual DICOM C-STORE requests with path traversal patterns
  • Multiple failed DICOM association attempts followed by successful transfers

SIEM Query:

source="dcmtk.log" AND ("..\\" OR "../" OR "path traversal")

📊 Metadata

CVE ID: CVE-2022-2120
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-23
Published: June 24, 2022
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2120, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)