Impact
PACSGear MediaWriter 5.2.1 allows an attacker to exploit a .NET Remoting TCP service that is enabled on port 9000 and requires no authentication. By deserializing a MarshalByRefObject and using .NET WebClient methods, the attacker can read and write arbitrary files on the host. The ObjectURIs used by the service are identical on all installations, enabling a universal exploitation method. The write is sufficient to perform DLL hijacking by placing a crafted DLL in the application directory. When the MediaWriter service restarts, it loads the malicious DLL as NT Authority\SYSTEM, giving the attacker system‑level code execution.
Affected Systems
The affected product is Hyland PACSGear MediaWriter version 5.2.1. All installations of this version expose the same .NET Remoting TCP service on port 9000, exposing them to the described vulnerability.
Risk and Exploitability
The CVSS score of 9.3 classifies this as a critical vulnerability. Although the EPSS score is not published, the lack of any authentication requirement and the presence of a documented exploit enable straightforward remote exploitation. The vulnerability is not listed in the CISA KEV catalog, but the severity and readiness of an exploit make it a high‑risk threat for any system that can reach the service over the network. Attackers would only need network access to the target host to leverage the vulnerability.
OpenCVE Enrichment