CVE-2025-14607 is a memory corruption vulnerability identified in the OFFIS DCMTK library, a widely used open-source toolkit for handling DICOM (Digital Imaging and Communications in Medicine) files, which are standard in medical imaging. The vulnerability resides in the function DcmByteString::makeDicomByteString within the dcmdata component (file dcbytstr.cc). This function improperly handles certain byte string manipulations, leading to memory corruption when processing crafted DICOM data. The flaw can be triggered remotely by an attacker sending malicious DICOM data to an application using vulnerable DCMTK versions (3.6.0 through 3.6.9). No user interaction or elevated privileges are required, increasing the risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. The vulnerability could cause application crashes or potentially allow limited code execution depending on the context of use. The issue is fixed in DCMTK version 3.7.0, with the patch identified by commit 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. No known exploits have been reported in the wild yet, but the critical role of DCMTK in medical imaging systems makes this a significant concern for healthcare providers and software vendors integrating DCMTK.

The primary impact of CVE-2025-14607 is on the availability and integrity of medical imaging systems that rely on the DCMTK library for processing DICOM files. Successful exploitation could lead to application crashes (denial of service), disrupting clinical workflows and delaying diagnosis or treatment. In some scenarios, memory corruption might be leveraged for limited code execution, potentially allowing attackers to manipulate or exfiltrate sensitive patient data, impacting confidentiality. European healthcare organizations are particularly vulnerable due to the widespread use of DICOM standards and DCMTK in medical imaging devices, PACS (Picture Archiving and Communication Systems), and radiology software. Disruptions could affect hospitals, diagnostic centers, and telemedicine services, leading to patient safety risks and regulatory compliance issues under GDPR and medical device regulations. The remote attack vector and lack of required user interaction increase the threat level. Although no active exploits are known, the vulnerability could be targeted by threat actors aiming to disrupt healthcare services or steal sensitive health information.

1. Immediate upgrade of all DCMTK deployments to version 3.7.0 or later to apply the official patch. 2. For organizations unable to upgrade immediately, implement network-level controls to restrict access to systems processing DICOM data, including segmentation and firewall rules limiting inbound connections to trusted sources. 3. Employ input validation and sanitization on DICOM data where possible, using application-layer filters or proxy solutions to detect malformed or suspicious DICOM files. 4. Monitor logs and system behavior for signs of crashes or anomalous activity related to DICOM processing components. 5. Coordinate with medical device vendors and PACS providers to ensure their products incorporate the patched DCMTK version or equivalent mitigations. 6. Conduct security awareness and incident response exercises focused on medical imaging infrastructure. 7. Maintain up-to-date backups and recovery plans for critical imaging systems to minimize downtime in case of exploitation.