CVE-2025-14607 is a memory corruption vulnerability identified in the OFFIS DCMTK library, a widely used open-source toolkit for handling DICOM (Digital Imaging and Communications in Medicine) files. The vulnerability resides in the function DcmByteString::makeDicomByteString within the dcmdata component (file dcmdata/libsrc/dcbytstr.cc). This function is responsible for creating DICOM byte strings, and improper handling of input data leads to memory corruption. The flaw can be triggered remotely by sending crafted DICOM data to an application using the vulnerable DCMTK versions 3.6.0 through 3.6.9. The attack requires no user interaction and no elevated privileges, making it easier to exploit in networked environments. The memory corruption could potentially be leveraged to crash the application (denial of service) or, with further exploitation, execute arbitrary code, although the CVSS vector indicates limited impact on confidentiality, integrity, and availability. The vulnerability has been patched in version 3.7.0, with the fix identified by commit 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. No known exploits have been reported in the wild as of the publication date. Given DCMTK's role in medical imaging workflows, this vulnerability poses a risk to healthcare providers and systems processing DICOM files.

The primary impact of CVE-2025-14607 is the potential for remote attackers to cause memory corruption in applications using vulnerable DCMTK versions, which can lead to denial of service through application crashes or potentially arbitrary code execution if exploited further. This can disrupt medical imaging workflows, delay diagnosis and treatment, and compromise patient care. Confidentiality and integrity impacts are limited but cannot be fully ruled out if an attacker achieves code execution. The vulnerability affects a critical component in healthcare IT infrastructure, increasing the risk to hospitals, clinics, and medical device manufacturers relying on DCMTK for DICOM processing. The medium CVSS score reflects moderate risk, but the healthcare sector's sensitivity elevates the operational impact. Organizations worldwide that integrate DCMTK into their imaging systems or PACS (Picture Archiving and Communication Systems) are at risk of service disruption and potential security breaches if unpatched.

To mitigate CVE-2025-14607, organizations should immediately upgrade all instances of OFFIS DCMTK to version 3.7.0 or later, which contains the official patch for this vulnerability. In addition, network-level protections should be implemented to restrict access to DICOM services only to trusted and authenticated users and systems, reducing exposure to remote attacks. Employing application-layer firewalls or DICOM-aware security gateways can help detect and block malformed DICOM data that might trigger the vulnerability. Regularly audit and monitor logs for unusual activity or crashes related to DICOM processing. For environments where immediate upgrade is not feasible, consider isolating vulnerable systems from untrusted networks and applying strict network segmentation. Finally, maintain an incident response plan tailored to healthcare IT environments to quickly address potential exploitation attempts.