Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25928 is a path traversal vulnerability in the OpenEMR application affecting versions prior to 8.0.0.2, specifically in the DICOM zip/export feature.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application uses a user-supplied destination path component when creating zip files of uploaded DICOM folders without properly sanitizing or removing path traversal sequences like "../".'}, {'type': 'paragraph', 'content': 'An attacker with DICOM upload/export permissions can exploit this by submitting a crafted destination parameter that causes the zip file to be created outside the intended temporary directory, potentially under the web root.'}, {'type': 'paragraph', 'content': 'This can lead to arbitrary file write and possibly remote code execution if executable files such as PHP scripts are written to a web-accessible location.'}, {'type': 'paragraph', 'content': 'The issue was fixed in OpenEMR version 8.0.0.2 by sanitizing paths and restricting them to a whitelisted base directory.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with DICOM upload/export permissions to write files outside the intended directory.

If the attacker writes executable files such as PHP scripts under the web root, it can lead to remote code execution, allowing them to run arbitrary code on the server.

This compromises the integrity of the system by enabling unauthorized file writes and potentially full control over the affected server.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your OpenEMR installation is running a version prior to 8.0.0.2 and if the DICOM zip/export feature is in use. Specifically, you can look for evidence of path traversal sequences (e.g., "../") in the destination parameter used during DICOM export operations.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious files, you can search your web root or temporary files directory for unexpected zip files or files created outside the intended directories, especially those containing path traversal patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious files or activity include:'}, {'type': 'list_item', 'content': 'Find zip files with path traversal patterns in their names or unexpected locations: `find /path/to/openemr/tmp -name "*..*"`'}, {'type': 'list_item', 'content': 'Search for recently created or modified files in the web root that should not be there: `find /path/to/openemr/public -type f -mtime -7`'}, {'type': 'list_item', 'content': 'Check web server logs for unusual POST requests to DICOM upload/export endpoints containing suspicious destination parameters with "../" sequences.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict DICOM upload/export permissions to trusted users only, as the vulnerability requires such privileges.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and sanitize any user-supplied input related to file paths or names in the DICOM export feature to prevent path traversal sequences.'}, {'type': 'paragraph', 'content': "Review and apply any available patches or code changes that sanitize filenames and destination paths, such as those applying PHP's basename() function to uploaded filenames and restricting output paths to canonical directories."}] [1, 2]

Useful 0 Not Useful 0