A high-severity vulnerability has been discovered in the IrfanView image viewer's CADImage plugin, which could allow an attacker to take full control of a user's computer. Exploitation occurs when a user opens a specially crafted malicious DWG (CAD) file, potentially leading to data theft, malware installation, or further intrusion into the corporate network. Immediate patching is required to mitigate this significant risk.

The vulnerability is a memory corruption flaw within the CADImage plugin, which is responsible for rendering DWG files. When a user opens a specially crafted, malicious DWG file, the plugin's parsing engine improperly handles the file's data, leading to a memory corruption state such as a buffer overflow. An attacker can leverage this corruption to overwrite critical memory structures and divert the application's execution flow, resulting in the execution of arbitrary code with the same privileges as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation poses a significant risk to the organization. If an employee opens a malicious DWG file, often delivered via a phishing email, their workstation can be completely compromised. This could lead to the installation of ransomware, spyware to steal credentials and sensitive data (e.g., intellectual property, financial records), or the compromised machine being used as a beachhead to launch further attacks against the internal network. The risk is particularly acute for departments like engineering or design that regularly handle DWG files and may use IrfanView as a quick preview tool.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately, prioritizing any internet-facing systems or workstations used by employees who handle external documents. Following patching, security teams should actively monitor for any signs of exploitation attempts and review file access logs for unusual DWG file activity preceding the patch deployment.

Proactive Monitoring: Security operations teams should implement enhanced monitoring to detect potential exploitation. This includes looking for unusual child processes spawned by the IrfanView executable (e.g., i_view32.exe, i_view64.exe), monitoring for outbound network connections from IrfanView to unknown IP addresses, and configuring EDR solutions to alert on memory protection violations or suspicious API calls originating from the application.

Compensating Controls: If immediate patching is not feasible, the following compensating controls should be implemented:

• Disable the CADImage plugin (CADImage.dll) within the IrfanView installation directory if viewing DWG files is not a business-critical function.
• Use application control policies (e.g., AppLocker) to prevent IrfanView from launching command-line interpreters or other potentially malicious tools.
• Enhance email security gateway rules to block or quarantine DWG file attachments from untrusted or external sources.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the risk of remote code execution, this vulnerability requires immediate attention. Although it is not currently listed on the CISA KEV catalog, its impact is severe enough to warrant treating it with urgency. We strongly recommend that all organizations prioritize the deployment of the vendor-supplied patches to all systems with IrfanView installed. If patching is delayed, the compensating controls, particularly disabling the vulnerable plugin, should be implemented as an interim measure to reduce the attack surface.