A high-severity vulnerability has been identified in the IrfanView CADImage plugin, which could allow an attacker to take full control of a user's computer. This is achieved by tricking a user into opening a specially crafted DXF image file, which triggers the vulnerability and allows for remote code execution. Successful exploitation could lead to data theft, malware installation, or further intrusion into the corporate network.

This vulnerability is an out-of-bounds write that occurs within the CADImage plugin when parsing the structure of a DXF file. An attacker can create a malicious DXF file with malformed data that, when opened by an unsuspecting user in IrfanView, causes the application to write data outside of its allocated memory buffer. This memory corruption can be precisely controlled to overwrite critical program data, such as a return address on the stack, allowing the attacker to divert the program's execution flow and run arbitrary code with the same privileges as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation results in Remote Code Execution (RCE) on the affected user's workstation. The business impact could be significant, including the compromise of sensitive corporate or personal data stored on the machine, installation of persistent malware such as ransomware or keyloggers, and financial loss. A compromised endpoint can also be used by an attacker as a foothold to move laterally across the network, escalating the incident from a single-user compromise to a widespread network breach.

Immediate Action: The primary remediation is to apply the security patches released by the vendor immediately, prioritizing any internet-facing systems or user workstations that frequently process files from external sources. After patching, administrators should monitor for any signs of exploitation attempts that may have occurred prior to remediation and review application and system access logs for anomalous activity.

Proactive Monitoring: Security teams should configure monitoring to detect potential exploitation. This includes watching for IrfanView application crashes (specifically related to the CADImage.dll plugin), monitoring for suspicious child processes spawned by i_view32.exe or i_view64.exe (e.g., cmd.exe, powershell.exe), and scrutinizing network traffic for unusual outbound connections from workstations running IrfanView.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. This includes disabling or removing the vulnerable CADImage.dll plugin from the IrfanView installation directory to prevent the vulnerable code from being loaded. Additionally, deploying an Endpoint Detection and Response (EDR) solution can help detect and block post-exploitation behavior, and user awareness training should be reinforced to warn against opening DXF files from untrusted sources.

Public Exploit Available: False

Given the high severity (CVSS 7.8) and the potential for complete system compromise, we recommend that organizations treat this vulnerability with urgency. The primary and most effective course of action is to deploy the vendor-supplied patches to all affected systems without delay. While there is no current evidence of active exploitation, the risk of a future exploit is high. If patching cannot be performed immediately, the compensating control of disabling the CADImage plugin should be implemented as a critical temporary measure to mitigate risk.