A high-severity vulnerability has been identified in the IrfanView CADImage plugin, which allows for remote code execution. An attacker could craft a malicious DWG image file that, when opened by a user, would allow the attacker to take control of the victim's computer. This could lead to data theft, malware installation, or further attacks on the network.

This vulnerability is a memory corruption flaw within the CADImage plugin used by IrfanView to render DWG files. An attacker can create a specially crafted, malformed DWG file. When a user opens this malicious file in IrfanView, the plugin's parsing function improperly handles the data, leading to a memory corruption state such as a buffer overflow. This corruption can be exploited by an attacker to execute arbitrary code on the victim's system with the same permissions as the user who launched the application.

This is a High severity vulnerability with a CVSS score of 7.8. Successful exploitation could have a significant negative impact on the organization. An attacker could install malware such as ransomware or spyware, exfiltrate sensitive corporate data, or use the compromised workstation as a foothold to move laterally across the internal network. The primary risk is to end-user workstations, particularly within departments (e.g., engineering, architecture, design) that regularly handle DWG files from external sources, making them susceptible to targeted phishing attacks.

Immediate Action: Prioritize and apply the vendor-supplied security patches to all affected installations of IrfanView. For systems where patching cannot be immediately deployed, consider removing or disabling the vulnerable CADImage plugin (CADImage.dll) from the IrfanView installation directory.

Proactive Monitoring: Utilize Endpoint Detection and Response (EDR) tools to monitor for suspicious process creation originating from irfanview.exe. Review application crash logs for IrfanView, especially after the opening of DWG files. Monitor network traffic for unusual outbound connections from workstations running IrfanView, which could indicate a C2 channel established after a successful exploit.

Compensating Controls: If patching is not immediately feasible, implement user awareness training advising employees not to open DWG files from untrusted or unsolicited sources. Use application control policies to restrict IrfanView from spawning child processes like command shells or PowerShell. Ensure antivirus and anti-malware solutions are up-to-date to detect potential post-exploitation payloads.

Public Exploit Available: False

Given the high severity (CVSS 7.8) and the potential for complete system compromise, this vulnerability requires immediate attention. Although the CISA KEV catalog does not currently list this CVE, the risk of remote code execution is significant. We recommend organizations immediately identify all systems with the vulnerable IrfanView CADImage plugin and deploy the official patches. If patching is delayed, the compensating controls outlined above should be implemented as an interim measure to reduce the risk of exploitation.