External risk intelligence

PACSgear MediaWriter Unauthenticated Remote Code Execution via .NET Remoting Service

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58127

The vulnerability affects a .NET Remoting TCP service running on port 9000 within a PACS/medical imaging software suite. While network-reachable, these applications are typically deployed within private clinical or hospital networks rather than directly exposed to the public internet, making wide-scale public accessibility less common than for standard web-facing services.

Missing Authentication

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in PACSgear MediaWriter, a component used in medical imaging software. The issue allows unauthenticated remote attackers to potentially execute code with system-level privileges by exploiting an unprotected network service. While the vulnerability is severe, its practical impact depends on the specific network deployment and whether the affected service is accessible externally.

  • Unprotected network service allows remote code execution.
  • Critical risk if the service is accessible externally.
  • Confirm relevance and assess exposure to internal systems.

Attack Path

How an attacker could exploit the issue

An attacker can initiate an attack by finding an exposed .NET Remoting TCP service on port 9000. This service, part of the PACSgear MediaWriter, does not require authentication and allows for arbitrary file read and write operations on the host. By combining this with a known DLL hijacking vulnerability in the service, an attacker can achieve code execution with SYSTEM privileges after the service restarts.

  • Network access to the service is required.
  • The vulnerability is triggered by interacting with the .NET Remoting service.
  • Risk includes unauthenticated remote code execution as SYSTEM.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated remote attackers to read and write arbitrary files on the host system when the PACSgear MediaWriter service is running. Exploiting this could lead to system compromise if the service is configured to load missing DLLs from the application directory, enabling remote code execution as SYSTEM.

  • Arbitrary file read/write access on host.
  • Network access to unauthenticated service.
  • Remote code execution as SYSTEM.

Operational Fix

Recommended remediation, mitigation, and detection steps

Attackers can achieve unauthenticated remote code execution as SYSTEM by exploiting a .NET Remoting TCP service in PACSgear MediaWriter. Initial actions should focus on identifying all instances of the affected technology, confirming exposure and business criticality, and locating the accountable owner to plan risk-based remediation.

  • Identify and confirm affected systems.
  • Verify exposure and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is PACSgear MediaWriter?

PACSgear MediaWriter is a specialized software component often used within medical environments to manage and burn medical imaging data to physical media. It includes a server engine module that facilitates data processing and communication, which is the specific part affected by this security issue.

What does CVE-2026-58127 mean for security?

This CVE involves two primary weaknesses: missing authentication and insecure deserialization. Because the software fails to verify who is connecting to its .NET Remoting service, it allows unauthorized users to manipulate data. By abusing how the system processes object information, an attacker can read or write any file on the host machine, which can ultimately be leveraged to run unauthorized programs with full system control.

How is this vulnerability triggered?

An attacker triggers the bug by sending specifically crafted requests to the .NET Remoting service running on TCP port 9000. It is important to note that sending traffic to other services or ports on the same host does not initiate this attack. The vulnerability requires direct, unauthenticated communication with the specific network service established by the PACSgear component.

Do I need to worry about this if my system is internal?

Yes, but your risk level differs from internet-facing systems. According to Halo Surface Signal, this software typically resides within private hospital or clinical networks, which may reduce its public visibility. However, an attacker who has already gained a foothold inside your network could still reach and exploit the service on port 9000. You should assess if the service is reachable by unauthorized internal users or lateral movement.

What are the first steps to address this?

Start by locating every instance of PACSgear MediaWriter across your environment. Once identified, confirm if these systems are accessible over the network. Work with the internal owners of these medical imaging systems to prioritize these devices, understand their business criticality, and prepare for necessary security updates or configuration changes to restrict unauthorized access.

References