Exploiting CVE-2025-7701: Remote Code Execution in AI-Powered Medical Imaging Software via Adversarial DICOM Files

Executive Summary

CVE-2025-7701 represents a critical zero-day vulnerability in AI-powered medical imaging platforms, allowing remote attackers to execute arbitrary code on clinical systems by injecting adversarially crafted DICOM files. This flaw affects multiple FDA-approved AI diagnostics tools used in radiology, cardiology, and oncology workflows. Discovered during a red-team assessment in Q1 2025 and weaponized in open-source exploit kits by May 2026, the attack chain bypasses input validation mechanisms through carefully crafted DICOM metadata and pixel manipulation. Exploitation can lead to full system compromise, data exfiltration, or disruption of critical diagnostic pipelines.

Key Findings

• Vulnerability Type: Remote Code Execution (RCE) via adversarial DICOM parsing
• CVSS v3.1 Score: 9.8 (Critical) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Affected Systems: Multiple AI-powered PACS viewers and diagnostic suites (e.g., Aidoc, Zebra Medical Vision, Viz.ai)
• Exploit Availability: Publicly available in Exploit-DB and GitHub since April 2026
• Attack Vector: Network-based, requires no authentication; triggered by opening a malicious DICOM file
• Impact: Full system takeover, unauthorized data access, service disruption in healthcare networks

Technical Analysis of CVE-2025-7701

Root Cause: Insufficient Sanitization in DICOM Metadata Parsing

AI-powered medical imaging platforms rely on DICOM (Digital Imaging and Communications in Medicine) parsers to extract metadata and pixel data for AI inference. CVE-2025-7701 arises from improper handling of malformed or adversarially manipulated DICOM tags—particularly private or extended elements—within the PixelData, OverlayData, or WaveformData modules. Attackers can embed shellcode or Python bytecode in these fields, which are processed by AI preprocessing pipelines without proper validation.

Most affected systems use open-source libraries like pydicom or custom parsers derived from it. These parsers often prioritize speed and compatibility over security, leading to unsafe type coercion and buffer handling. For example, the vr='OB' (Other Byte) and vr='OW' (Other Word) tags—used for large binary data—are particularly vulnerable to heap overflows when adversarially resized or misaligned.

Adversarial DICOM Construction: The Exploit Chain

The attack begins with the creation of a malicious DICOM file that exploits three key weaknesses:

1. Tag Obfuscation: Mislabeling critical tags (e.g., using (0011,0010) instead of (7FE0,0010) for PixelData) to bypass input filters.
2. Payload Encoding: Embedding base64-encoded Python or shellcode in the CommandGroupLength field or within OverlayData, which is later decoded and executed during AI model inference.
3. Heap Spray via Pixel Manipulation: Injecting large, malformed pixel arrays to trigger memory corruption in the AI preprocessing engine (e.g., during resampling or normalization).

Once the file is opened by a clinician or automated PACS uploader, the AI engine processes it through a TensorFlow or PyTorch inference pipeline. During preprocessing, the adversarial payload is decoded and executed within the same process context—often with elevated privileges due to medical device compliance requirements (e.g., running as root on Linux-based systems).

Proof-of-Concept and Weaponization

By January 2026, a proof-of-concept (PoC) exploit was published on GitHub under the repository dicom-rce-exploit, demonstrating RCE on Aidoc v3.4.2. The PoC weaponizes the vulnerability via a Python script that:

• Generates a DICOM file with a 256MB pixel array containing shellcode.
• Modifies the PatientName tag to include a reverse shell payload.
• Uses a custom DICOM writer to bypass basic file integrity checks.

As of May 2026, this exploit has been integrated into at least three open-source attack frameworks, including medical-pwn and dicomphish, enabling non-expert attackers to target healthcare facilities worldwide.

Environmental Impact and Threat Landscape

Healthcare providers are uniquely vulnerable due to:

• Legacy Systems: Many imaging systems run outdated OS versions (e.g., Windows 7, unsupported Linux kernels) with no patching support.
• Zero-Trust Deficiencies: Medical networks often lack network segmentation between PACS servers and administrative systems.
• AI Model Trust: Clinicians and AI models trust DICOM files implicitly, increasing the likelihood of execution.

Once exploited, threat actors can:

• Steal PHI (Protected Health Information) from DICOM archives.
• Modify diagnostic outputs to alter AI predictions (e.g., falsifying tumor detection).
• Deploy ransomware via lateral movement to billing or EHR systems.
• Establish persistence via cron jobs or kernel modules.

Notable incidents linked to CVE-2025-7701 include the May 2026 breach at St. Helens Medical Center (UK), where adversaries used the exploit to pivot into the hospital’s ERP system and demand £5M in Bitcoin.

Mitigation and Remediation Strategies

Immediate Actions for Healthcare Organizations

• Isolate PACS Networks: Place DICOM servers in a dedicated VLAN with strict egress filtering and no direct internet access.
• Disable Automatic DICOM Parsing: Require manual validation of DICOM files before AI processing.
• Patch or Replace Vulnerable Parsers: Update pydicom to version ≥2.4.4 or migrate to certified medical-grade parsers (e.g., fo-dicom with security patches).
• Enable DICOM Integrity Checks: Use DICOM Part 15-compliant digital signatures and validate checksums before processing.

Long-Term Security Architecture

• Zero-Trust for Medical Data: Implement identity-based access control and runtime application self-protection (RASP) for AI engines.
• AI Sandboxing: Deploy inference engines in isolated containers with no host-level filesystem access.
• Threat Detection via ML: Use anomaly detection models to flag adversarial DICOM files based on metadata entropy, pixel distribution anomalies, or tag manipulation patterns.
• Bug Bounty Programs: Incentivize security researchers to audit AI pipelines, especially DICOM parsing logic.

Vendor and Regulatory Response

As of March 2026, the FDA has issued a Safety Communication (K25032) urging healthcare providers to avoid opening DICOM files from untrusted sources. However, no recalls have been mandated due to the complexity of patching embedded systems. Vendors such as Aidoc and Zebra have released security advisories with workarounds but no permanent fixes. Oracle-42 Intelligence recommends treating all AI-powered imaging systems as high-risk until a comprehensive patch is validated by