CVE-2023-24304 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2023-24304?

CVE-2023-24304 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code on systems running IrfanView by tricking users into opening a malicious PDF file. The improper input validation in the PDF.dll plugin enables remote code execution. All users of IrfanView v4.60 are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on systems running IrfanView by tricking users into opening a malicious PDF file. The improper input validation in the PDF.dll plugin enables remote code execution. All users of IrfanView v4.60 are affected.

💻 Affected Systems

Products:

IrfanView

Versions: v4.60

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the PDF plugin installed and enabled. The vulnerability is in PDF.dll specifically.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious PDF files, often delivered via phishing emails or compromised websites.

🟢

If Mitigated

Limited impact if proper application whitelisting, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (opening a malicious PDF) but no authentication. The CWE-20 (Improper Input Validation) suggests straightforward exploitation once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.61 or later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download IrfanView v4.61 or later from the official website. 2. Run the installer. 3. Follow installation prompts to update. 4. Verify the version in Help > About IrfanView.

🔧 Temporary Workarounds

Disable PDF plugin

windows

Remove or disable the vulnerable PDF.dll plugin to prevent exploitation

Move or rename PDF.dll in IrfanView's plugins directory

Block PDF file association

windows

Prevent IrfanView from opening PDF files by default

Use Windows Settings > Apps > Default apps to change PDF association to another application

🧯 If You Can't Patch

Implement application control policies to block IrfanView execution
Use network segmentation to isolate systems running vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version in Help > About IrfanView. If version is 4.60, the system is vulnerable.

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Verify IrfanView version is 4.61 or later in Help > About IrfanView.

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs, unexpected process creation from IrfanView, suspicious PDF file access

Network Indicators:

Downloads of PDF files from untrusted sources, network connections from IrfanView to suspicious IPs

SIEM Query:

Process creation where parent process contains 'i_view' and child process is suspicious

📊 Metadata

CVE ID: CVE-2023-24304

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 28, 2023

Last Updated: February 18, 2025

🔗 References

https://www.sit.fraunhofer.de/CVE-2023-24304/ Third Party Advisory
https://www.sit.fraunhofer.de/CVE-2023-24304/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24304, you might also want to check these: