CVE-2025-36521: 
MicroDicom DICOM Viewer vulnerability analysis and mitigation

MicroDicom DICOM Viewer versions 2025.1 (Build 3321) and prior are affected by an out-of-bounds read vulnerability (CVE-2025-36521). The vulnerability was discovered by Michael Heinzl and reported to CISA, with public disclosure on May 1, 2025. The vulnerability requires user interaction through opening a malicious DCM file for exploitation (CISA Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that could lead to memory corruption within the application. It has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Additionally, it has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to cause memory corruption within the application, potentially leading to information disclosure or application crashes (CISA Advisory).

MicroDicom has released version 2025.2 to address this vulnerability. Users are recommended to update to this version or later. CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, locating control system networks behind firewalls, and using secure methods like VPNs when remote access is required (CISA Advisory, MicroDicom Downloads).