CVE-2022-2120 in DCMTK
Summary
by MITRE • 06/24/2022
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/04/2025
The vulnerability identified as CVE-2022-2120 affects OFFIS DCMTK versions prior to 3.6.7 and specifically targets the service class user component within the DICOM toolkit. This flaw represents a critical security weakness in medical imaging software that could have severe implications for healthcare information systems. The vulnerability stems from improper input validation within the SCU functionality, which processes DICOM (Digital Imaging and Communications in Medicine) files used extensively in healthcare environments for storing and transmitting medical images and related data.
The technical implementation of this vulnerability involves a relative path traversal flaw that allows attackers to manipulate file paths during DICOM file operations. When the SCU component processes incoming DICOM data, it fails to properly sanitize directory traversal sequences such as "../" or "..\\" that could be embedded within file paths. This weakness enables an attacker to specify arbitrary directory locations where DICOM files can be written, potentially allowing them to place malicious files in system directories or overwrite existing critical files. The vulnerability is particularly concerning because DICOM files often contain sensitive patient data and medical images that are crucial for healthcare operations.
The operational impact of this vulnerability extends beyond simple file system manipulation to potentially enable remote code execution within the target system. An attacker who successfully exploits this vulnerability could write malicious DICOM files into directories that are subsequently processed by other system components, creating opportunities for privilege escalation or code execution. This risk is heightened in healthcare environments where DICOM files are frequently processed automatically by various medical imaging systems, PACS (Picture Archiving and Communication Systems), and other healthcare information technology infrastructure. The potential for remote code execution makes this vulnerability particularly dangerous as it could allow attackers to gain unauthorized access to entire healthcare networks.
Mitigation strategies for CVE-2022-2120 should prioritize immediate patching of affected OFFIS DCMTK installations to version 3.6.7 or later, which contains the necessary fixes for the relative path traversal vulnerability. Organizations should also implement network segmentation and access controls to limit exposure of DICOM processing systems to untrusted networks. Additional defensive measures include implementing strict input validation for all DICOM file operations, monitoring for unusual file creation patterns, and deploying intrusion detection systems that can identify potential exploitation attempts. The vulnerability aligns with CWE-23 (Relative Path Traversal) and represents a significant risk under the ATT&CK framework's initial access and execution phases, particularly targeting healthcare systems through malicious file injection attacks. Healthcare organizations should conduct comprehensive vulnerability assessments of their medical imaging infrastructure to identify all potentially affected systems and ensure proper security controls are in place to prevent exploitation of this critical flaw.