CVE-2024-28130 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2024-28130?

CVE-2024-28130 has a CVSS score of 7.5 (HIGH). This vulnerability allows arbitrary code execution through incorrect type conversion when processing specially crafted DICOM files in OFFIS DCMTK. Attackers can achieve remote code execution by tricking users or systems into opening malicious medical imaging files. Affected systems include any using DCMTK for DICOM medical image processing.

📋 TL;DR

This vulnerability allows arbitrary code execution through incorrect type conversion when processing specially crafted DICOM files in OFFIS DCMTK. Attackers can achieve remote code execution by tricking users or systems into opening malicious medical imaging files. Affected systems include any using DCMTK for DICOM medical image processing.

💻 Affected Systems

Products:

OFFIS DCMTK

Versions: 3.6.8 and earlier

Operating Systems: All platforms running DCMTK

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using DCMTK libraries for DICOM file processing is vulnerable when handling untrusted files.

📦 What is this software?

Dcmtk by Offis

View all CVEs affecting Dcmtk →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the DCMTK process, potentially leading to data theft, ransomware deployment, or lateral movement in healthcare networks.

🟠

Likely Case

Remote code execution on systems processing untrusted DICOM files, potentially compromising patient data or disrupting medical imaging workflows.

🟢

If Mitigated

Limited impact with proper network segmentation, file validation, and least privilege execution, potentially reduced to denial of service.

🌐 Internet-Facing: MEDIUM - Exploitable if DICOM processing services are exposed to untrusted networks, but requires file upload/processing capability.

🏢 Internal Only: HIGH - Medical imaging systems often process files from various sources internally, making exploitation likely in healthcare environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious DICOM file and getting it processed by vulnerable DCMTK software. No authentication needed if file processing is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.9 or later

Vendor Advisory: https://support.dcmtk.org/

Restart Required: Yes

Instructions:

1. Download DCMTK 3.6.9 or later from official sources. 2. Stop all DCMTK-related services. 3. Backup configuration files. 4. Install updated version. 5. Restart services.

🔧 Temporary Workarounds

File Validation Filter

all

Implement strict file validation before DICOM processing to reject malformed files

# Implement custom validation script before DCMTK processing
# Example: dcm2xml --validate input.dcm || exit 1

Sandbox Execution

linux

Run DCMTK processes in isolated containers or sandboxes with limited privileges

docker run --read-only --cap-drop=ALL -v /safe/input:/input dcmtk-container

🧯 If You Can't Patch

Implement network segmentation to isolate DICOM processing systems from critical networks
Deploy application allowlisting to prevent unauthorized execution of payloads

🔍 How to Verify

Check if Vulnerable:

Check DCMTK version with 'dcmdump --version' or 'which dcmtk' and verify if version is 3.6.8 or earlier

Check Version:

dcmdump --version 2>/dev/null | head -1

Verify Fix Applied:

Confirm version is 3.6.9 or later using 'dcmdump --version' and test with known safe DICOM files

📡 Detection & Monitoring

Log Indicators:

Process crashes in DCMTK applications
Unusual file processing errors in medical imaging systems
Abnormal memory usage patterns in DCMTK processes

Network Indicators:

Unexpected outbound connections from DICOM processing systems
Anomalous DICOM file transfers to/from untrusted sources

SIEM Query:

process_name:dcm* AND (event_type:crash OR memory_usage:>threshold)

📊 Metadata

CVE ID: CVE-2024-28130

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-704

Published: April 23, 2024

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1957

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28130, you might also want to check these: