criticalCVE-2026-58126

CVE-2026-58126 in PACSgear PACS Scan

PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.

ProductPACSgear PACS Scan
CVSS9.3
EPSS0.00963
UpdatedJuly 15, 2026

Quick answer

Hyland PACSgear PACS Scan should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • PACSgear PACS Scan 5.2.1 and earlier where the vulnerable PGImageExchQueue.exe .NET Remoting service is exposed

Fixed versions

  • No confirmed public fixed version at generation time; isolate TCP port 22222 and apply the latest Hyland-supported update or workaround when available

How to fix it

CVE-2026-58126 affects PACSgear PACS Scan. In simple terms, an attacker may be able to run code or take control of the affected system if the .NET Remoting service is exposed. This is critical because the service can run with high Windows privileges. There is no confirmed public fixed version yet, so block TCP port 22222 and ask Hyland for the supported update or workaround.

  1. Find every PACSgear PACS Scan install in production, staging, and test.
  2. Check whether it matches PACSgear PACS Scan 5.2.1 and earlier where the vulnerable PGImageExchQueue.exe .NET Remoting service is exposed.
  3. Apply the latest Hyland-supported update or workaround as soon as it is available.
  4. Block TCP port 22222 from untrusted networks until the vendor gives a supported fix.
  5. Back up the system before making the change.
  6. Review logs for strange requests, crashes, file changes, or failed actions.
  7. Rotate secrets or rebuild the host if you suspect the issue was used.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the installed version is fixed or the mitigation is active.
  • Confirm TCP port 22222 is blocked from untrusted networks.
  • Test the affected feature with a normal user account.
  • Review recent logs for signs of abuse.
  • Run a fresh Fixnx scan and keep the result with the change record.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-58126?

Hyland PACSgear PACS Scan versions listed as affected should be reviewed: PACSgear PACS Scan 5.2.1 and earlier where the vulnerable PGImageExchQueue.exe .NET Remoting service is exposed.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.