CVE-2025-25475 identifies a vulnerability in the open-source DICOM toolkit DCMTK, specifically in the /libsrc/dcrleccd.cc component. The flaw is a NULL pointer dereference (CWE-476) that occurs when the software processes a specially crafted DICOM file. This leads to a denial of service (DoS) condition by crashing or halting the affected application, thereby impacting system availability. The vulnerability affects DCMTK versions 3.6.9 and later development builds. Exploitation requires no privileges or user interaction and can be performed remotely by sending malicious DICOM files to systems that parse them. DCMTK is widely used in medical imaging environments for handling DICOM files, which are standard in radiology and other healthcare imaging workflows. Although the vulnerability does not compromise confidentiality or integrity, the DoS can disrupt critical healthcare services that rely on timely image processing. No patches or fixes are currently linked, and no exploits have been observed in the wild, but the CVSS score of 7.5 reflects the high impact on availability combined with ease of exploitation. The root cause is improper handling of null pointers during DICOM file decoding, which should be addressed by improved input validation and error handling in the affected component.

The primary impact of CVE-2025-25475 is denial of service, which can interrupt medical imaging workflows by crashing or freezing systems that use DCMTK to process DICOM files. For European healthcare providers, this can delay diagnosis and treatment, potentially affecting patient outcomes. Disruption of imaging services may also lead to increased operational costs and reputational damage. Since DCMTK is integrated into various medical devices and software used in hospitals and clinics, the scope of impact can be broad. The vulnerability does not expose patient data or allow unauthorized access, but availability interruptions in critical healthcare environments are significant. Additionally, attackers could exploit this vulnerability to cause repeated outages or to distract security teams during other attacks. The lack of authentication or user interaction requirements increases the risk of remote exploitation, especially in environments where DICOM files are received from external sources or networks without sufficient filtering.

Organizations should monitor for official patches or updates from the DCMTK project and apply them promptly once available. Until a patch is released, implement strict network segmentation and access controls to limit exposure of systems processing DICOM files to untrusted networks or users. Employ input validation and filtering mechanisms to detect and block malformed or suspicious DICOM files before they reach vulnerable components. Consider deploying intrusion detection or prevention systems tuned to identify anomalous DICOM traffic patterns. Regularly audit and update medical imaging software and devices to ensure they use secure and supported versions of DCMTK. Establish incident response procedures to quickly recover from potential DoS incidents affecting imaging services. Engage with vendors and healthcare IT providers to confirm their use of DCMTK and coordinate mitigation efforts. Finally, maintain backups and redundancy for critical imaging systems to minimize service disruption.