CVE-2025-3484

Published May 22, 2025

Last updated 6 days ago

CVSS critical 9.8

Overview

Description: MedDream PACS Server DICOM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MedDream PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of DICOM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25853.
Source: zdi-disclosures@trendmicro.com
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

zdi-disclosures@trendmicro.com: CWE-121

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:meddream:pacs_server:*:*:*:*:premium:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A84749C2-CF2D-463E-9D0F-8151CBFDC2D0",
            "versionEndExcluding": "7.3.5.860"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.0

Weaknesses

Social media

Configurations

References