A critical vulnerability has been identified in multiple Oxford Instruments products, specifically within the Imaris Viewer's file parsing component. An attacker could exploit this flaw by tricking a user into opening a specially crafted IMS file, which could allow the attacker to execute malicious code and gain complete control over the affected system. This presents a significant risk of data theft, malware infection, and further network intrusion.

The vulnerability exists in the file parsing library used by Oxford Instruments Imaris Viewer when processing IMS files. Specifically, a pointer is not properly initialized before being used, a condition known as an uninitialized pointer vulnerability. An attacker can create a malicious IMS file that, when opened by a user, causes the application to use this uninitialized pointer. This can lead to a dereference of a memory address controlled by the attacker, allowing them to execute arbitrary code on the victim's system with the same privileges as the user running the application.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the affected workstation. The primary business risks include the theft of sensitive research data, intellectual property, or personally identifiable information (PII). An attacker could also install persistent malware, such as ransomware or spyware, leading to significant operational disruption, financial loss, and reputational damage. The compromised system could also be used as a launchpad for further attacks within the corporate network.

Immediate Action: Immediately apply the security patches released by Oxford Instruments to all affected systems, prioritizing those that are internet-facing or handle critical data. Following the patch deployment, it is crucial to monitor for any signs of exploitation attempts by reviewing application and system logs for unusual activity related to IMS file processing.

Proactive Monitoring: Monitor application logs for crashes or errors related to the Imaris Viewer or IMS file parsing. Check endpoint security logs (EDR) for suspicious process creation originating from the affected Oxford software. Monitor network traffic for unusual outbound connections from workstations running the affected software, which could indicate a command-and-control (C2) channel.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict the opening of IMS files from untrusted sources, such as email attachments or internet downloads.
• Use application whitelisting to prevent the execution of unauthorized processes from the context of the Oxford software.
• Ensure endpoint detection and response (EDR) solutions are deployed and configured to detect and block memory exploitation techniques.

Public Exploit Available: false

Given the High severity (CVSS 7.8) of this remote code execution vulnerability, immediate action is required. We strongly recommend that all affected Oxford Instruments products be patched immediately, with the highest priority given to systems used by researchers or personnel who handle files from external sources. Although CVE-2025-9274 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its high potential for impact means it is a prime candidate for future exploitation. Proactive patching and monitoring are the most effective strategies to mitigate the significant risk posed by this flaw.