CVE-2024-11515
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JPM files in IrfanView. Attackers can gain the same privileges as the current user process. All IrfanView users who open untrusted JPM files are affected.
💻 Affected Systems
- IrfanView
📦 What is this software?
Irfanview by Irfanview
Irfanview by Irfanview
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation leading to user account compromise, data exfiltration, or malware installation on the affected system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the application.
🎯 Exploit Status
Exploitation requires user interaction but is straightforward once malicious file is opened. ZDI has confirmed the vulnerability and exploitation is likely given the nature of buffer overflow vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IrfanView 4.67 and later
Vendor Advisory: https://www.irfanview.com/main_history.htm
Restart Required: No
Instructions:
1. Download latest IrfanView from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version is 4.67 or higher.
🔧 Temporary Workarounds
Disable JPM file association
windowsRemove IrfanView as default handler for JPM files to prevent automatic exploitation
Open Windows Settings > Apps > Default apps > Choose default apps by file type > Find .jpm > Select different application
Application sandboxing
windowsRun IrfanView with reduced privileges using application control solutions
🧯 If You Can't Patch
- Block JPM files at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized IrfanView execution
🔍 How to Verify
Check if Vulnerable:
Open IrfanView, go to Help > About, check if version is below 4.67Check Version:
irfanview.exe /?Verify Fix Applied:
Confirm IrfanView version is 4.67 or higher in Help > About dialog📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs with memory access violations
- Windows Application Error events with IrfanView process
Network Indicators:
- Unusual outbound connections from IrfanView process
- JPM file downloads from untrusted sources
SIEM Query:
process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:c0000005