External risk intelligence

PACSgear PACS Scan Unauthenticated Remote Code Execution via .NET Remoting

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58126

The vulnerability affects a .NET Remoting TCP service running on a specific port. While the service is network-accessible, it is typically part of a specialized medical imaging integration suite rather than a standard internet-facing web service, edge gateway, or public-facing portal. Public internet exposure is therefore not the common or intended deployment pattern for this product.

Missing Authentication

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in PACSgear PACS Scan, a medical imaging software. The issue involves an unauthenticated remote code execution flaw that could allow unauthorized access and modification of files. The primary concern is to determine if this specific technology is in use within our organization and, if so, to assess the potential exposure.

  • Software allows remote takeover.
  • Critical flaw affects medical imaging software.
  • Confirm if used; assess exposure risk.

Attack Path

How an attacker could exploit the issue

An attacker can remotely exploit a vulnerable .NET Remoting TCP service to read and write arbitrary files. By chaining this file manipulation capability with DLL hijacking, the attacker can ultimately achieve remote code execution with SYSTEM privileges after the service restarts.

  • Unauthenticated network exposure required.
  • Triggered via exposed TCP service.
  • Results in SYSTEM-level code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in a specialized medical imaging service could allow unauthenticated remote attackers to read and write arbitrary files, potentially leading to remote code execution. This could affect system integrity and access to sensitive medical data.

  • System files and medical data at risk.
  • Attackers exploit exposed .NET service.
  • Remote code execution as SYSTEM.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in PACSgear PACS Scan's .NET Remoting service requires immediate attention. Application owners, in coordination with infrastructure and security teams, are responsible for identifying all instances of this software. The first step is to locate the affected technology, assess its network exposure and business criticality, and determine the accountable system owner to plan remediation.

  • Identify application and infrastructure owners.
  • Verify network exposure and business criticality.
  • Plan remediation based on identified risks.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PACSgear PACS Scan?

PACSgear PACS Scan is a specialized software suite used in medical environments to streamline document and image integration into Picture Archiving and Communication Systems (PACS). It bridges the gap between various imaging devices and the central storage systems hospitals use to manage clinical records, ensuring that essential patient data is correctly captured, indexed, and made available for diagnostic review by medical professionals.

What does CVE-2026-58126 mean for security?

This vulnerability involves a weakness in how the software handles network communication. Specifically, it involves missing authentication for critical operations and insecure deserialization, which are flaws that allow a remote user to interact with the system without providing credentials. This breakdown in security controls lets an attacker manipulate system files and, through a secondary technique, trick the software into running unauthorized commands with high-level system privileges.

How is the vulnerability in PACSgear triggered?

An attacker triggers the vulnerability by sending malicious requests to a specific .NET Remoting TCP service that listens on port 22222. The exploit path relies on this service accepting unauthenticated commands to read or write files. It is important to note that simply having the software installed is not enough; the service must be reachable over the network for an attacker to initiate the chain that leads to unauthorized file modification and eventual code execution.

Is my system at risk for this CVE?

Risk depends heavily on your specific deployment environment. According to Halo Surface Signal, this software component is designed for specialized medical imaging integration and is not intended to be exposed directly to the public internet like a standard web portal. If your instance is isolated within a secure internal network rather than being reachable from the open internet, the immediate likelihood of a remote, unauthenticated attack from an external party is significantly reduced.

What should I do if I use PACSgear PACS Scan?

First, identify all servers running this software within your organization. Once you have an inventory, coordinate with your infrastructure team to verify if the TCP service on port 22222 is accessible beyond the systems that strictly require it for medical imaging functions. Confirm the business criticality of each instance and work with your system owners to prioritize these assets for official software updates or protective network configuration changes.

References