CVE-2026-58127
Hyland · PACSgear MediaWriter
Hyland PACSgear MediaWriter is vulnerable to unauthenticated remote code execution via a .NET Remoting TCP service, allowing arbitrary file read/write and SYSTEM-level privilege escalation.
Executive summary
Hyland PACSgear MediaWriter contains a critical authentication bypass vulnerability that allows unauthenticated remote attackers to achieve SYSTEM-level code execution.
Vulnerability
The software exposes a .NET Remoting TCP service on port 9000 without authentication, enabling unauthenticated remote attackers to perform arbitrary file operations. By chaining file write access with DLL hijacking, an attacker can execute arbitrary code as the NT AUTHORITY\SYSTEM account.
Business impact
With a CVSS score of 9.8, this vulnerability represents an extreme risk to infrastructure security. Successful exploitation grants full administrative control over the host system, potentially compromising sensitive medical imaging data or serving as a pivot point for further network penetration.
Remediation
Immediate Action: Update Hyland PACSgear MediaWriter to the latest version and restrict network access to port 9000 to trusted internal segments only.
Proactive Monitoring: Monitor for unexpected TCP connections to port 9000 and review system logs for unauthorized file modifications or the loading of unexpected DLLs.
Compensating Controls: If an immediate update is not feasible, isolate the PACSgear MediaWriter server from the external network and restrict TCP port 9000 access via host-based firewalls.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability carries a high risk of full system takeover. IT administrators must prioritize updating the PACSgear MediaWriter software and ensure that the associated service is not exposed to untrusted network segments.