CVE-2026-58126
Hyland · PACSgear PACS Scan
Hyland PACSgear PACS Scan is vulnerable to unauthenticated remote code execution via a .NET Remoting TCP service, allowing attackers to gain SYSTEM-level access through DLL hijacking.
Executive summary
A critical unauthenticated remote code execution vulnerability in Hyland PACSgear PACS Scan allows attackers to achieve SYSTEM-level control of the host server.
Vulnerability
The application exposes a .NET Remoting TCP service on port 22222 that lacks authentication, allowing arbitrary file read/write operations. This primitive can be chained with DLL hijacking in the associated service to execute code as NT AUTHORITY\SYSTEM.
Business impact
This vulnerability is critical, carrying a CVSS score of 9.8. Successful exploitation grants an attacker full administrative control over the server, leading to total system compromise, potential lateral movement within the network, and the complete loss of sensitive medical imaging data.
Remediation
Immediate Action: Update Hyland PACSgear PACS Scan to the latest version immediately to patch the insecure service and remediate the DLL loading behavior.
Proactive Monitoring: Inspect server logs for unexpected file write activities and monitor for new processes spawned by the PGImageExchangeQueueSvc.exe service.
Compensating Controls: Restrict network access to port 22222 via host-based firewalls or network segmentation, ensuring only authorized management systems can communicate with the service.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the unauthenticated nature and the high-privilege execution outcome, this vulnerability constitutes an emergency-level risk. Organizations should isolate affected systems from the internet and apply the vendor-supplied patch as the highest priority.