A high-severity vulnerability has been discovered in the IrfanView CADImage plugin, which could allow an attacker to take full control of a user's computer. The flaw is triggered when a user opens a specially crafted malicious DXF (CAD) file, leading to remote code execution. This could result in data theft, malware installation, or further compromise of the organization's network.

The vulnerability is an out-of-bounds write within the CADImage plugin component responsible for parsing DXF files. An attacker can create a malicious DXF file with specially crafted data that, when processed by the vulnerable plugin, causes the application to write data outside of its intended memory buffer. This memory corruption can be leveraged by the attacker to execute arbitrary code on the victim's system in the security context of the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a significant business impact, allowing an attacker to execute arbitrary code on an employee's workstation. This could lead to the installation of malware such as ransomware or spyware, the exfiltration of sensitive corporate or personal data, or the compromised machine being used as a foothold to launch further attacks against the internal network. The primary risk is to end-user workstations where IrfanView is used to open files from external or untrusted sources.

Immediate Action: Apply the security patches released by the vendor immediately, prioritizing any internet-facing systems or workstations that regularly process files from external sources. For systems where IrfanView is installed, identify all vulnerable versions and deploy the update via centralized patch management systems.

Proactive Monitoring: Security teams should monitor for signs of exploitation. Review endpoint detection and response (EDR) logs for suspicious child processes being spawned by the IrfanView executable (e.g., i_view32.exe or i_view64.exe). Monitor network traffic for unusual outbound connections from workstations after a DXF file has been opened.

Compensating Controls: If patching cannot be immediately applied, consider the following controls:

• Implement a policy restricting users from opening DXF files received from untrusted sources, such as external email or web downloads.
• Temporarily disable or remove the CADImage plugin (CADImage.dll) from the IrfanView plugins directory.
• Use application control solutions to prevent IrfanView from executing unexpected processes like cmd.exe or powershell.exe.

Public Exploit Available: False

Given the high CVSS score and the potential for remote code execution, this vulnerability poses a significant risk to the organization. We strongly recommend that all vulnerable instances of IrfanView are patched immediately. Priority should be given to workstations used by personnel who handle CAD files, such as engineers and designers. Although this vulnerability is not currently on the CISA KEV list, its severity warrants immediate attention to prevent potential future exploitation.