CVE-2026-58127

Hyland · PACSgear MediaWriter

Hyland PACSgear MediaWriter is vulnerable to unauthenticated remote code execution via a .NET Remoting TCP service, allowing arbitrary file read/write and SYSTEM-level privilege escalation.

Executive summary

Hyland PACSgear MediaWriter contains a critical authentication bypass vulnerability that allows unauthenticated remote attackers to achieve SYSTEM-level code execution.

Vulnerability

The software exposes a .NET Remoting TCP service on port 9000 without authentication, enabling unauthenticated remote attackers to perform arbitrary file operations. By chaining file write access with DLL hijacking, an attacker can execute arbitrary code as the NT AUTHORITY\SYSTEM account.

Business impact

With a CVSS score of 9.8, this vulnerability represents an extreme risk to infrastructure security. Successful exploitation grants full administrative control over the host system, potentially compromising sensitive medical imaging data or serving as a pivot point for further network penetration.

Remediation

Immediate Action: Update Hyland PACSgear MediaWriter to the latest version and restrict network access to port 9000 to trusted internal segments only.

Proactive Monitoring: Monitor for unexpected TCP connections to port 9000 and review system logs for unauthorized file modifications or the loading of unexpected DLLs.

Compensating Controls: If an immediate update is not feasible, isolate the PACSgear MediaWriter server from the external network and restrict TCP port 9000 access via host-based firewalls.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability carries a high risk of full system takeover. IT administrators must prioritize updating the PACSgear MediaWriter software and ensure that the associated service is not exposed to untrusted network segments.