A high-severity vulnerability has been identified in the IrfanView CADImage plugin, which could allow an attacker to take control of a user's computer. If a user opens a specially crafted malicious DWG (AutoCAD) file, an attacker could execute arbitrary code, potentially leading to data theft, ransomware infection, or further compromise of the corporate network.

This vulnerability is a memory corruption flaw within the CADImage plugin responsible for rendering DWG files in IrfanView. An attacker can create a malicious DWG file containing malformed data that, when parsed by the vulnerable plugin, triggers a memory error (such as a buffer overflow). By carefully crafting the file, the attacker can exploit this memory corruption to execute arbitrary code on the victim's system with the same permissions as the user running the IrfanView application. Exploitation requires user interaction, as the victim must be convinced to open the malicious file.

This vulnerability is rated as High severity with a CVSS score of 7.8, posing a significant risk to the organization. Successful exploitation could grant an attacker initial access to an endpoint, leading to severe consequences such as the exfiltration of sensitive corporate data, deployment of ransomware, or installation of persistent backdoors. A compromised workstation can also be used as a pivot point to move laterally across the network, escalating the incident from a single-user compromise to a widespread network breach.

Immediate Action: The primary remediation is to apply the security patches provided by IrfanView to all affected systems immediately. Priority should be given to internet-facing systems or any workstation that regularly processes files from external or untrusted sources. Following patching, monitor systems for any signs of exploitation attempts and review application and file access logs for unusual activity involving DWG files.

Proactive Monitoring: Security teams should monitor for anomalous behavior associated with the IrfanView process (e.g., i_view32.exe, i_view64.exe). This includes looking for suspicious child processes, unexpected network connections originating from IrfanView, and application crash logs. Endpoint Detection and Response (EDR) systems should be configured to detect and alert on memory exploitation techniques.

Compensating Controls: If immediate patching is not possible, implement the following controls to mitigate risk:

• Disassociate the .dwg file extension from IrfanView to prevent users from accidentally opening malicious files with the vulnerable application.
• Use application control policies to restrict IrfanView from launching other processes (e.g., command shells, PowerShell).
• Educate users on the dangers of opening unsolicited attachments, especially DWG files, from untrusted sources.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the potential for remote code execution, this vulnerability requires immediate attention. Organizations must prioritize the deployment of vendor-supplied patches across all workstations where IrfanView is installed. Although this vulnerability is not yet on the CISA KEV list, its potential for enabling initial access means it should be treated with urgency. If patching is delayed, the recommended compensating controls must be implemented to reduce the attack surface.