Description
PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.
Published: 2026-07-01
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated remote code execution flaw that allows attackers to read and write arbitrary files through an exposed .NET Remoting TCP service on port 22222. By exploiting PGImageExchQueue.exe, an attacker can chain a file‑write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe. The chain causes the service to restart and load missing DLLs such as CRYPTSP.DLL from the application directory, thereby executing arbitrary code as NT Authority\SYSTEM. This privilege escalation provides the attacker with full control over the affected system.

Affected Systems

Hyland PACSgear PACS Scan version 5.2.1 is susceptible to the vulnerability. Only this product and version are currently documented as affected; other versions are not known to be impacted.

Risk and Exploitability

The flaw scores a CVSS of 9.3, indicating critical severity, and is reachable via a network connection to port 22222 without authentication. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an actor to have network access to the host running PACS Scan; no administrative privileges or local access are needed to start the exploitation. Once the attacker establishes a connection, the vector of exploitation is simple: send a crafted payload that triggers the file write and DLL hijack, leading to system‑level code execution upon service restart.

Generated by OpenCVE AI on July 1, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a later PACS Scan release where the .NET Remoting service is disabled or requires authentication; if a patch is not available, contact Hyland for guidance.
  • Block inbound traffic to TCP port 22222 from all untrusted networks or disable the PGImageExchangeQueueSvc service if the functionality is not required.
  • Configure strict permissions for the PACS Scan application directory to prevent DLL hijacking; remove or relocate untrusted DLLs such as CRYPTSP.DLL and ensure only signed, trusted DLLs can be loaded.

Generated by OpenCVE AI on July 1, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.
Title PACSgear PACS Scan 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service
Weaknesses CWE-306
CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T16:06:12.873Z

Reserved: 2026-06-29T14:13:18.384Z

Link: CVE-2026-58126

cve-icon Vulnrichment

Updated: 2026-07-01T16:04:30.731Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T19:45:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-502

    Deserialization of Untrusted Data