A high-severity vulnerability has been discovered in the IrfanView CADImage plugin, which could allow an attacker to take control of a user's computer. By tricking a user into opening a specially crafted CGM image file, an attacker can execute malicious code, potentially leading to data theft, malware installation, or further network compromise. This vulnerability poses a significant risk to organizations where IrfanView is used to handle image files from external sources.

This vulnerability is an out-of-bounds write that occurs within the CADImage plugin when parsing a malformed Computer Graphics Metafile (CGM). An attacker can create a malicious CGM file with specific data that, when processed by the vulnerable plugin, causes the application to write data outside of its allocated memory buffer. This memory corruption can be exploited to hijack the program's execution flow, enabling the attacker to run arbitrary code on the victim's system with the same permissions as the user running IrfanView. Exploitation requires user interaction, such as opening the malicious file received via email or downloaded from a website.

The vulnerability is rated as High severity with a CVSS score of 7.8, reflecting the potential for complete system compromise. Successful exploitation could lead to the installation of malware such as ransomware, spyware, or remote access trojans. This could result in the theft of sensitive corporate data, intellectual property, or employee credentials. A compromised machine could also be used as a staging point to launch further attacks against other systems within the organization's network, escalating the overall impact of the security breach.

Immediate Action: Identify all systems running vulnerable versions of IrfanView and prioritize the application of vendor-supplied security patches. For internet-facing systems or those used by employees who frequently handle external documents, patching should be treated as an emergency change. After patching, review system and application logs for any signs of compromise preceding the update.

Proactive Monitoring: Configure security information and event management (SIEM) and endpoint detection and response (EDR) systems to monitor for indicators of compromise. This includes looking for the presence of suspicious CGM files on endpoints or in network traffic, monitoring for abnormal process creation originating from the IrfanView executable (e.g., i_view64.exe), and alerting on memory corruption or code injection attempts targeting the IrfanView process.

Compensating Controls: If immediate patching is not possible, consider implementing the following controls to reduce risk:

• Temporarily disable or remove the vulnerable CADImage plugin (CADImage.dll) from the IrfanView plugins directory if CGM file support is not a business requirement.
• Use application control software to prevent IrfanView from launching child processes like cmd.exe or powershell.exe.
• Enhance email and web gateway filtering to block or quarantine incoming CGM files.
• Educate users on the dangers of opening attachments and files from untrusted sources.

Public Exploit Available: false

Given the high severity rating and the potential for remote code execution, this vulnerability presents a critical risk to the organization. Although there is no evidence of active exploitation at this time, the risk of a full system compromise is too significant to ignore. We strongly recommend that organizations prioritize the immediate deployment of the security patches provided by the vendor across all affected workstations and servers. If patching is delayed, the compensating controls outlined above should be implemented without delay to mitigate the immediate threat.