HIPAA Compliance Training and Certification

HIPAA News

MicroDicom DICOM Viewer’s High Severity Vulnerability

by | Jun 22, 2025

DICOM, Digital Imaging and Communications in Medicine, had a high-severity vulnerability discovered in its MicroDicom DICOM Viewer, which is a free software program used to view and manipulate DICOM medical images.

A threat actor can exploit the vulnerability remotely even with a low complexity attack. If the exploitation is successful, the attacker can execute arbitrary code on vulnerable DICOM Viewer. To proceed with the vulnerability exploitation, user interaction is necessary, which means, the threat actor must lead a user to click a malicious DICOM file locally or go to a malicious web page. This can be achieved by means of phishing or social engineering attack.

Vulnerability CVE-2025-5943 impacts DICOM Viewer version 2025.2 (Build 8154) and earlier versions. The vulnerability is described as an out-of-range write issue. It means that the threat actor can write to memory beyond the boundaries of the supposed buffer and implement arbitrary code. The vulnerability is given a CVSS v3.1 base score of 8.8 out of 10 and a CVSS v4 base rating of 8.6 out of 10. Although there were no identified instances of vulnerability exploitation in the wild during the announcement, it is recommended to apply patching immediately. DICOM already fixed the vulnerability in version 2025.3 and more recent versions.

Independent security researcher Michael Heinzl discovered the vulnerability and reported it to the U.S. Cybersecurity and Infrastructure Agency (CISA). DICOM reported other vulnerabilities before this latest report as follows:

  • Two high-severity vulnerabilities in May 2025,
  • a medium-severity vulnerability in February 2025, which can be exploited in a machine-in-the-middle (MitM) attack
  • Four high-severity vulnerabilities were discovered in 2024 and announced in March and June 2024

Because HIPAA-certified DICOM often identifies vulnerabilities, it is recommended that DICOM Viewer be protected with a firewall and separated from business systems. In case remote access is necessary, DICOM should use a secure connection like a Virtual Private Network (VPN) and ensure that the VPN is updated.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy