# REPRO-2026-00235: PACSgear PACS Scan unauthenticated remote code execution ## Summary Status: published Severity: critical Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00235 CVE: CVE-2026-58126 ## Package Name: Unknown Ecosystem: Unknown Affected: Unknown Fixed: Unknown ## Root Cause # RCA Report: CVE-2026-58126 ## Summary CVE-2026-58126 is an unauthenticated remote code execution vulnerability in Hyland/PACSgear PACS Scan 5.2.1. The original vendor package exposes `PGImageExchQueue.exe`, a .NET Remoting TCP endpoint on port 22222, at the well-known ObjectURI `PGImageExchange`. The endpoint can be reached without credentials. Using the disclosed .NET Remoting MarshalByRefObject/WebClient technique, an attacker can obtain a server-side `System.Net.WebClient` object, read local files, and write attacker-controlled files into the PACSgear Image Exchange Service directory. This arbitrary write can be chained to code execution when the product service path is restarted/started; the public disclosure describes DLL hijacking with `CRYPTSP.DLL`, and this run additionally demonstrates code execution by remotely overwriting the product service executable and starting that product service path. ## Impact - **Package/component affected:** Hyland/PACSgear PACS Scan 5.2.1, specifically `PGImageExchQueue.exe` and `PGImageExchangeQueueSvc.exe` in `Pacsgear Image Exchange Service`. - **Affected versions:** PACS Scan 5.2.1. The downloaded vendor installer is `https://download.pacsgear.com/download/PacsSCAN5.2.1.zip`; extracted product binaries include: - `PGImageExchQueue.exe` SHA256 `853e7ea4ac56cc85df9a21a81c993a36ac3bff803e35b7ba3aa7c1438a28525c` - `PGImageExchangeQueueSvc.exe` SHA256 `95c8fcb4a934dd809951916e74872ccce0cb8e201f3ad0508542c316be3d1299` - **Risk level and consequences:** Critical. An unauthenticated network attacker can cross the PACS Scan remoting boundary, read files, write files into the product service directory, plant executable payloads, and achieve attacker-controlled code execution when the service path is started/restarted. On a normal Windows deployment, the disclosed service context is `NT AUTHORITY\SYSTEM`, so successful exploitation can result in full host compromise. ## Impact Parity - **Disclosed/claimed maximum impact:** Unauthenticated remote code execution by connecting to `tcp://:22222/PGImageExchange`, using .NET Remoting MBRO/WebClient to read/write arbitrary files, planting a malicious DLL such as `CRYPTSP.DLL` in the PACSgear application directory, and triggering service restart/load in `PGImageExchangeQueueSvc.exe`. - **Reproduced impact from this run:** - Original vendor PACS Scan 5.2.1 installer downloaded and extracted: **CONFIRMED**. - Original `PGImageExchQueue.exe` started and listened on TCP/22222: **CONFIRMED**. - Unauthenticated remote endpoint access to `PGImageExchange`: **CONFIRMED**. - Server-side MBRO/WebClient object obtained through the unauthenticated remoting endpoint: **CONFIRMED**. - Remote file read (`C:\Windows\win.ini`) through the server-side WebClient: **CONFIRMED**. - Remote file write into the product service directory: **CONFIRMED**. - Remote planting of `CRYPTSP.DLL` into the product directory: **CONFIRMED**. - Remote overwrite of `PGImageExchangeQueueSvc.exe` through the same arbitrary write primitive: **CONFIRMED**. - Code execution when the product service path was started after the remote overwrite: **CONFIRMED** (marker file written by attacker-controlled replacement executable). - Negative control: clean/original service binary did not create the marker before exploitation: **CONFIRMED**. - **Parity:** `full` for unauthenticated product-path code execution via the disclosed arbitrary file write primitive. The exact final execution method in this sandbox is service executable overwrite rather than Windows DLL search-order loading of `CRYPTSP.DLL`; however, it uses the same product endpoint, same unauthenticated MBRO/WebClient primitive, same product service directory, and same service-start execution boundary. The script also plants `CRYPTSP.DLL` as disclosed, but Wine does not faithfully reproduce Windows' system DLL search-order behavior for `CRYPTSP.DLL`. - **Not demonstrated:** Execution as `NT AUTHORITY\SYSTEM` on native Windows. The product was run under Wine with native .NET Framework 4 in the Linux sandbox, so the user/account context differs from a production Windows service deployment. ## Root Cause The vulnerability occurs because PACS Scan exposes a .NET Remoting endpoint without authentication and with a dangerous serialization/remoting configuration: 1. `PGImageExchQueue.exe` registers a TCP remoting endpoint using the .NET Remoting stack and exposes the well-known ObjectURI `PGImageExchange` on port 22222. 2. There is no authentication, authorization, session setup, or token check before remote clients can reach the remoting object. 3. The remoting configuration is susceptible to the MarshalByRefObject/WebClient exploitation technique: a remote unauthenticated caller can induce the server to instantiate and return a proxy to a server-side `System.Net.WebClient` object. 4. The server-side WebClient can access `file://` URIs from the server context. This provides arbitrary local file read/write from the product process. 5. The product service directory contains `PGImageExchangeQueueSvc.exe` and is a code-loading/execution location. Writing attacker-controlled executable content there can lead to code execution when the service starts/restarts. The public disclosure describes `CRYPTSP.DLL` hijacking; this run demonstrates the same write-to-service-directory primitive by replacing `PGImageExchangeQueueSvc.exe` and starting the product service path. No public fix commit or fixed release was identified. The script therefore uses a clean original-service negative control rather than a vulnerable-vs-fixed vendor build comparison. ## Reproduction Steps 1. **Script:** `bundle/repro/reproduction_steps.sh` 2. **What the script does:** - Installs runtime dependencies needed in a clean sandbox: Mono, Wine, Xvfb, MSI extraction tools, Winetricks, and MinGW. - Creates a Wine prefix with native .NET Framework 4.0 because the MBRO/WebClient exploit path depends on Windows .NET Framework behavior. - Downloads the original vendor PACS Scan 5.2.1 installer from `https://download.pacsgear.com/download/PacsSCAN5.2.1.zip`. - Extracts `PacsSCAN.msi` and the real product binaries `PGImageExchQueue.exe` and `PGImageExchangeQueueSvc.exe`. - Starts original `PGImageExchQueue.exe` under Wine/Xvfb and waits for TCP/22222 to accept connections. - Compiles and runs an exploit client implementing the MBRO Lazy/WebClient technique. - Performs two independent attempts. Each attempt: 1. Runs a clean-service negative control and verifies no marker is created. 2. Starts the real product remoting endpoint. 3. Obtains a remote server-side `System.Net.WebClient` object with no credentials. 4. Reads `C:\Windows\win.ini` through the product process. 5. Writes a proof file into the product Image Exchange Service directory. 6. Uploads `CRYPTSP.DLL` into the product directory. 7. Uploads an attacker-controlled replacement `PGImageExchangeQueueSvc.exe` into the product directory. 8. Starts the product service path and verifies the attacker marker file is written. - Writes `bundle/repro/runtime_manifest.json` with runtime evidence. 3. **Expected evidence of reproduction:** - `bundle/logs/product_attempt_1_exploit.log` and `bundle/logs/product_attempt_2_exploit.log` show the remote WebClient, remote file read, remote file writes, `CRYPTSP.DLL` upload, and service executable overwrite. - `bundle/repro/artifacts/product_attempt_1/rce_marker.txt` and `bundle/repro/artifacts/product_attempt_2/rce_marker.txt` contain the code-execution marker. - `bundle/logs/product_attempt_1_negative_service.log` and `bundle/logs/product_attempt_2_negative_service.log` show the clean-service negative controls. ## Evidence Key artifact locations: - `bundle/repro/reproduction_steps.sh` — complete reproducer. - `bundle/repro/runtime_manifest.json` — structured runtime manifest. - `bundle/logs/product_availability.log` — vendor installer and binary hashes. - `bundle/logs/product_static_identity.log` — original binary static identity (`IRemote`, `CRemote`, remoting methods, `RegisterWellKnownServiceType`, `TcpChannel`). - `bundle/logs/product_attempt_1_exploit.log` and `bundle/logs/product_attempt_2_exploit.log` — exploit logs. - `bundle/logs/product_attempt_1_service.log` and `bundle/logs/product_attempt_2_service.log` — product service path execution logs. - `bundle/repro/artifacts/product_attempt_1/remote_read_win_ini.txt` and `bundle/repro/artifacts/product_attempt_2/remote_read_win_ini.txt` — remote read proof. - `bundle/repro/artifacts/product_attempt_1/remote_write_proof.txt` and `bundle/repro/artifacts/product_attempt_2/remote_write_proof.txt` — remote write proof. - `bundle/repro/artifacts/product_attempt_1/rce_marker.txt` and `bundle/repro/artifacts/product_attempt_2/rce_marker.txt` — code-execution marker files. Key excerpts: ```text Obtained remote WebClient transparent=True uri=/...rem READ bytes=16 uri=file:///C:/windows/win.ini [mail] mapi=1 UPLOAD bytes=73 response=0 target=file:///Z:/.../Pacsgear Image Exchange Service/REMOTE_WRITE_PROOF_1.txt VERIFY bytes=73 target=file:///Z:/.../REMOTE_WRITE_PROOF_1.txt ``` ```text UPLOAD bytes=83454 response=0 target=file:///Z:/.../Pacsgear Image Exchange Service/CRYPTSP.DLL VERIFY bytes=83454 target=file:///Z:/.../CRYPTSP.DLL UPLOAD bytes=114101 response=0 target=file:///Z:/.../Pacsgear Image Exchange Service/PGImageExchangeQueueSvc.exe VERIFY bytes=114101 target=file:///Z:/.../PGImageExchangeQueueSvc.exe ``` ```text CVE-2026-58126 CODE EXECUTION: overwritten PGImageExchangeQueueSvc.exe executed ``` Environment details: - Host sandbox: Linux. - Windows compatibility layer: Wine 10.x with native .NET Framework 4.0 installed via Winetricks. - Product endpoint: original `PGImageExchQueue.exe` from PACS Scan 5.2.1, listening on TCP/22222. - Exploit entrypoint: unauthenticated .NET Remoting call to `tcp://127.0.0.1:22222/PGImageExchange`. - Sanitizers: none. ## Recommendations / Next Steps 1. Remove or disable unauthenticated .NET Remoting exposure. .NET Remoting and BinaryFormatter should not be exposed to untrusted network clients. 2. Require strong authentication and authorization before any remoting call is processed. 3. Disable dangerous deserialization/remoting behavior that allows MBRO object materialization; migrate to a supported RPC framework with explicit data contracts. 4. Restrict service file writes to a narrowly scoped queue directory and block absolute paths, `file://` paths, and traversal outside the intended queue. 5. Harden service binary/DLL loading: - ensure the service directory is not writable by the remoting process or remote users; - use safe DLL search settings and explicit system paths for system DLLs; - verify service binaries before execution. 6. Run the Image Exchange service with least privilege rather than `SYSTEM` where possible. 7. Publish a fixed version and regression tests that verify unauthenticated clients cannot obtain server-side `WebClient`/MBRO objects or write into the service directory. ## Additional Notes - The script is idempotent: it restores the original `PGImageExchangeQueueSvc.exe` before each attempt and runs two clean attempts. - The script intentionally keeps all proof logs and marker files under `bundle/logs/` and `bundle/repro/artifacts/`. - The exact disclosed DLL hijack is approximated in Wine because Wine's system DLL loading behavior does not match native Windows service DLL search order. The script still plants `CRYPTSP.DLL` through the real remote file-write primitive and demonstrates code execution through the product service execution path by remote service executable overwrite. - No fixed vendor build was available, so the negative control is the clean original service binary before remote overwrite rather than a patched release. ## Reproduction Details Reproduced: 2026-07-06T08:19:43.367Z Duration: 3847 seconds Tool calls: 330 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00235 pruva-verify CVE-2026-58126 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00235&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00235/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-58126 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 20355 bytes) - bundle/repro/rca_report.md (analysis, 11941 bytes) - bundle/vuln_variant/rca_report.md (analysis, 9986 bytes) - bundle/vuln_variant/reproduction_steps.sh (reproduction_script, 11449 bytes) - bundle/logs/exploit_client.log (log, 2718 bytes) - bundle/logs/target_service_exploited.log (log, 793 bytes) - bundle/logs/target_service_clean.log (log, 499 bytes) - bundle/logs/vulnerable_server.log (log, 513 bytes) - bundle/artifact_promotion_manifest.json (other, 17743 bytes) - bundle/vuln_variant/root_cause_equivalence.json (other, 1583 bytes) - bundle/repro/runtime_manifest.json (other, 2210 bytes) - bundle/repro/validation_verdict.json (other, 898 bytes) - bundle/repro/artifacts/pacs_scan_appdir/RCE_PROOF_CODE_EXECUTION.txt (other, 228 bytes) - bundle/repro/artifacts/pacs_scan_appdir/CVE-2026-58126-PROOF.txt (other, 189 bytes) - bundle/repro/artifacts/pacs_scan_appdir/CRYPTSP.DLL (other, 250 bytes) - bundle/logs/product_attempt_1_exploit.log (log, 1997 bytes) - bundle/logs/product_attempt_1_service.log (log, 715 bytes) - bundle/repro/artifacts/product_attempt_1/rce_marker.txt (other, 81 bytes) - bundle/logs/product_availability.log (log, 713 bytes) - bundle/logs/reproduction_steps.log (log, 14399 bytes) - bundle/logs/product_static_identity.log (log, 6592 bytes) - bundle/logs/product_attempt_1_server.log (log, 1337 bytes) - bundle/logs/product_attempt_1_negative_service.log (log, 651 bytes) - bundle/logs/product_attempt_2_server.log (log, 1337 bytes) - bundle/logs/product_attempt_2_exploit.log (log, 1997 bytes) - bundle/logs/product_attempt_2_service.log (log, 587 bytes) - bundle/logs/product_attempt_2_negative_service.log (log, 651 bytes) - bundle/logs/wine_dotnet_setup.log (log, 129 bytes) - bundle/repro/artifacts/product_identity.json (other, 883 bytes) - bundle/repro/artifacts/product_attempt_1/remote_read_win_ini.txt (other, 181 bytes) - bundle/repro/artifacts/product_attempt_1/remote_write_proof.txt (other, 73 bytes) - bundle/repro/artifacts/product_attempt_1/cryptsp_upload.txt (other, 189 bytes) - bundle/repro/artifacts/product_attempt_1/service_overwrite_upload.txt (other, 206 bytes) - bundle/repro/artifacts/product_attempt_2/remote_read_win_ini.txt (other, 181 bytes) - bundle/repro/artifacts/product_attempt_2/remote_write_proof.txt (other, 73 bytes) - bundle/repro/artifacts/product_attempt_2/rce_marker.txt (other, 81 bytes) - bundle/repro/artifacts/product_attempt_2/cryptsp_upload.txt (other, 189 bytes) - bundle/repro/artifacts/product_attempt_2/service_overwrite_upload.txt (other, 206 bytes) - bundle/vuln_variant/variant_manifest.json (other, 4292 bytes) - bundle/vuln_variant/validation_verdict.json (other, 3366 bytes) - bundle/vuln_variant/patch_analysis.md (documentation, 7003 bytes) - bundle/logs/vuln_variant/reproduction_steps.log (log, 13121 bytes) - bundle/vuln_variant/runtime_manifest.json (other, 1080 bytes) - bundle/logs/vuln_variant/vulnerable_static_scan.log (log, 2534 bytes) - bundle/logs/vuln_variant/service_candidate_scan.log (log, 5979 bytes) - bundle/logs/vuln_variant/service_onstart_script.log (log, 240 bytes) - bundle/logs/vuln_variant/fixed_latest_check.log (log, 3789 bytes) - bundle/logs/vuln_variant/latest_version.txt (other, 738 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00235 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00235/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00235 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev