Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)

Cisco Talos published a technical study on 2026-05-28 examining how the DICOM medical-imaging file format yields heap out-of-bounds-write conditions across three parsers — the Python pydicom library, GDCM (Grassroots DICOM), and the parser inside Orthanc, the open-source PACS (Picture Archiving and Communication System) server widely deployed in hospital radiology (Cisco Talos, 2026-05-28). Talos frames the upload/ingestion pathway as the highest-concern surface: hospital PACS routinely auto-ingest DICOM studies received over the network from imaging modalities (CT, MRI, X-ray) via DICOM C-STORE, so a malformed study from any connected modality or compromised upstream institution can directly reach the vulnerable decoder without user action. The write primitive arises from the format's variable-length Value Representation (VR) tag structure combined with lax bounds-checking in heap allocation. The public blog post discloses no CVE identifiers and no exploit code — the underlying technique class is T1190 (exploit public-facing application) where a PACS endpoint is network-reachable, or delivery via a malicious study over DICOM networking. [SINGLE-SOURCE] (Cisco Talos primary research).

Why it matters to us: Swiss cantonal and university hospitals and EU healthcare providers — NIS2 critical entities — universally run PACS/DICOM infrastructure, and Orthanc is common in academic medical centres. The attack surface is structural to how PACS operate (mandatory DICOM connectivity to vendor equipment), so it cannot be closed by patching a single product alone. Defender posture from the research: review network segmentation between PACS servers and clinical workstations; restrict DICOM C-STORE acceptance to known modality Application Entity (AE) titles via the PACS ACL; confirm Orthanc instances run a supported version; treat studies arriving from referring institutions as untrusted input.

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

Cisco Talos published on 2026-05-19 the first MaaS-ecosystem analysis of a BadIIS variant identifiable by embedded demo.pdb path strings in the ISAPI DLL binary. PDB-metadata correlation traces development to a single developer alias "lwxat" active from at least September 2021 through January 2026, with iterative updates and Norton-AV-specific evasion features. Talos recovered a dedicated builder tool that lets operators generate configuration files and inject parameters into BadIIS ISAPI DLL payloads — traffic redirection to illicit sites, search-engine-crawler proxying, content hijacking, and back-link injection for SEO-fraud monetisation. The ISAPI DLL hooks into the Windows IIS request pipeline by registering as an ISAPI filter or extension (loaded from applicationHost.config or per-site web.config), intercepting HTTP requests to hosted sites and selectively modifying responses — serving different content to crawler vs. human browsers or proxying requests to attacker-controlled infrastructure. Talos describes the geographic distribution as primarily the Asia-Pacific region with a smaller number of compromised servers in South Africa, Europe, and North America; the activity overlaps with the broader DragonRank SEO-poisoning ecosystem Talos previously documented under the actor cluster UAT-8099. BadIIS itself is not a vulnerability — it requires a prior IIS-server compromise (web-shell, vulnerable CMS plugin) to plant the DLL. Detection concepts: enumerate applicationHost.config and each site's web.config for unexpected <isapiFilters> / <httpModules> entries; alert on IIS worker (w3wp.exe) loading DLLs from non-standard paths (Sysmon EID 7); monitor IIS response-body sizes for anomalies on content that should be static; alert on w3wp.exe initiating outbound HTTP to non-allow-listed destinations. Relevance for Swiss / EU public-sector defenders is secondary (regional focus is APAC), but the IIS-pipeline hijack pattern is jurisdiction-agnostic — any organisation with IIS-fronted CMS deployments should run the configuration-enumeration sweep.

An access-validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform, lets an unauthenticated network attacker obtain Site Admin privileges across all tenants (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). There is no workaround — patching is the only remediation. No confirmed exploitation yet, but a perfect-10 zero-auth admin bug on a segmentation controller is an attractive target: compromise of the micro-segmentation fabric undermines every downstream lateral-movement control. NCSC.ch carried it on the Cyber Security Hub (post 12588). Patch on the highest-priority schedule and restrict management-plane network reachability in the interim.

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.

Issued 2026-05-15 mandating identification, mitigation, and reporting on CVE-2026-20182 for US federal civilian agencies with a 2026-05-17 (today) deadline. For Swiss / EU public-sector defenders the US-FCEB compliance date itself is not operational signal (per the inherited PD-13) but the issuance of an Emergency Directive is. Use the ED's mitigation matrix as a reference for your own SD-WAN response posture (CISA ED-26-03; Daily 2026-05-15).

Cisco Talos published an updated exploitation bulletin on 2026-05-14 documenting active, in-the-wild exploitation of CVE-2026-20182 — a complete pre-authentication bypass in the Cisco Catalyst SD-WAN Controller — by UAT-8616, a highly sophisticated actor assessed to have operated against Cisco SD-WAN infrastructure since at least 2023 with ORB-network-hosted tooling (Cisco Talos, 2026-05-14). Separately, at least 10 additional less-sophisticated threat clusters (Cluster #1 through #10 in Talos's taxonomy) have been exploiting the companion February 2026 CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) since March 2026 (Rapid7, 2026-05-14). Post-exploitation activity includes deployment of Godzilla, Behinder, and XenShell webshells; AdaptixC2, Sliver, and Nimplant C2 frameworks; XMRig cryptomining; and log-wiping to remove syslog, wtmp, and lastlog artefacts. UAT-8616 additionally performs a targeted version-downgrade to re-expose CVE-2022-20775 (local privilege escalation to root), then restores the original version to erase the downgrade trace. CISA issued Emergency Directive ED-26-03 on 2026-05-14 designating this the sixth Cisco SD-WAN CVE exploited in 2026; companion CVEs CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 were being exploited by multiple clusters since March 2026. Snort detection signatures: 66482–66483 (CVE-2026-20182), 66468–66469 (CVE-2026-20133), 66461–66462 (CVE-2026-20122). Hunt: look for unexpected NETCONF sessions on TCP/830 from Controller processes; additions to /home/vmanage-admin/.ssh/authorized_keys; out-of-sequence software downgrade/upgrade log events in vManage; and peer registrations from unknown ASNs in show sdwan control connections.

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.