A high-severity vulnerability has been identified in multiple Oxford Instruments products, specifically within the Imaris Viewer software. This flaw allows a remote attacker to take full control of a user's computer by tricking them into opening a specially crafted IMS file, potentially leading to data theft, malware installation, or further network compromise. Organizations using the affected software are at significant risk and must take immediate action to mitigate this threat.

The vulnerability is an out-of-bounds write condition that exists in the file parsing library for IMS files within the Oxford Instruments Imaris Viewer. When a user opens a maliciously crafted IMS file, the software attempts to write data outside the allocated memory buffer. An attacker can exploit this memory corruption to execute arbitrary code on the system with the same privileges as the user running the application.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could grant an attacker complete control over the affected workstation. This could lead to severe business consequences, including the exfiltration of sensitive intellectual property or research data, deployment of ransomware, installation of persistent backdoors for long-term espionage, or using the compromised system as a launchpad for further attacks against the internal network. Given the typical use of this software in research and development environments, the risk of intellectual property theft is particularly high.

Immediate Action: Apply the security patches released by Oxford Instruments immediately, prioritizing any internet-facing systems or workstations used by personnel who handle files from external sources. Following patching, review system and application logs for any signs of compromise, such as unexpected application behavior or crashes related to opening IMS files.

Proactive Monitoring: Implement enhanced monitoring on endpoints running the affected software. Security teams should look for suspicious child processes spawning from the Imaris Viewer executable (e.g., cmd.exe, powershell.exe), unusual network connections to external IP addresses originating from the application, and alerts from endpoint security solutions related to memory corruption or unexpected file modifications.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• User Awareness: Instruct users to exercise extreme caution and not open IMS files received from untrusted or unsolicited sources, such as external emails.
• Attack Surface Reduction: Use application control solutions (e.g., AppLocker) to prevent the Imaris Viewer application from launching other executables or scripts.
• Endpoint Detection and Response (EDR): Ensure EDR policies are tuned to detect and block common post-exploitation techniques that could result from a successful attack.

Public Exploit Available: false

Due to the high severity (CVSS 7.8) and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all available patches from Oxford Instruments be applied within the organization's standard patching window for critical vulnerabilities. While there is no evidence of active exploitation at this time, the risk of a future attack is significant. Organizations unable to patch immediately must implement the recommended compensating controls and heightened monitoring to mitigate the risk of a security breach.