Professional Documents
Culture Documents
On February 28, 2024, Health-ISAC published Sante DICOM Pro Vulnerable to Malicious DICOM Files. This
vulnerability was also reported by Michael Heinzl and distributed by CISA. Please review that bulletin for
additional insight including affected versions and links to update to the most secure version of Sante DICOM
Pro.
Health-ISAC has previously shared insight on threat actors targeting healthcare organizations and leveraging
DICOM systems for initial access in a Threat Bulletin titled Ransomware Actors Target Healthcare. This tactic
involves social engineering to the extent that the threat actor enrolls as though they are a patient seeking
care. Upon request for medical images, threat actors submit malicious DICOM files.
If exploited, the vulnerability allows attackers to exfiltrate sensitive information, including protected health
information (PHI) and personally identifiable information (PII). Threat actors find DICOM systems attractive, as
illustrated in the leaked communications intercepted from CLOP ransomware affiliates, indicating ransomware
groups find the urgency of radiologists reviewing medical images for upcoming remote patient visits helpful in
breaching healthcare networks.
Two CVEs have been assigned to the specific DICOM viewer vulnerabilities impacting
MicroDICOM, CVE-2024-22100, and CVE-2024-25578. The common vulnerability scoring system (CVSS)
score is 7.8. There is no indication that this vulnerability is actively exploited. There is no indication of public
exploit code available for exploiting this vulnerability.
Health-ISAC will share an additional Threat Bulletin if proof of concept code is discovered or active
exploitation is reported for MicroDicom DICOM vulnerabilities. DICOM systems have previously been actively
exploited, as illustrated in the Health-ISAC Threat Bulletin Actively Exploited Vulnerability in MIM Assistant
and Client DICOM RTst Loading Modules.
Health-ISAC would like to thank intelligence partners at CISA for facilitating the distribution of the insights
shared by security researcher Michael Heinzl.
Impacted Versions:
Health-ISAC recommends organizations inventory their environment to determine whether any instances of
MicroDicom DICOM Viewer v2023.3 are in operation and are connected to their network or third-party partner
networks.
Health-ISAC recommends organizations upgrade to the latest version of MicroDicom DICOM Viewer, v2024.1,
to mitigate the risk of exploitation resulting in the exfiltration of sensitive information.
The latest version of the MicroDicom DICOM Viewer, version 2024.1, including the patch for the above
reference vulnerability, is available from MicroDICOM here.