CVE-2024-11517 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11517?

CVE-2024-11517 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JPM files in IrfanView. Attackers can gain full control of the affected system with the same privileges as the user running IrfanView. All users of vulnerable IrfanView versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JPM files in IrfanView. Attackers can gain full control of the affected system with the same privileges as the user running IrfanView. All users of vulnerable IrfanView versions are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: JPM file format support is enabled by default in IrfanView installations.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious actors distributing JPM files via email or websites to execute malware, steal credentials, or establish footholds in target networks.

🟢

If Mitigated

Limited to user-level access if IrfanView runs with standard user privileges, but still enables lateral movement and data exfiltration.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

User interaction required (opening malicious file), but exploitation is straightforward once the file is opened. ZDI has confirmed the vulnerability exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download IrfanView 4.67 or later from https://www.irfanview.com/
2. Run the installer
3. Follow installation prompts to update

🔧 Temporary Workarounds

Disable JPM file association

windows

Remove IrfanView as the default handler for .jpm files to prevent automatic exploitation

Control Panel > Default Programs > Set Associations > Find .jpm > Change program

Block JPM files at perimeter

all

Configure email gateways and web filters to block .jpm file attachments

🧯 If You Can't Patch

Restrict IrfanView execution to isolated environments or virtual machines
Implement application whitelisting to prevent unauthorized IrfanView execution

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. Versions below 4.67 are vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify IrfanView version is 4.67 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes when opening JPM files
Unusual child processes spawned from IrfanView

Network Indicators:

Outbound connections from IrfanView process to unknown IPs
DNS requests for suspicious domains after JPM file access

SIEM Query:

process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (event_id:1 OR parent_process_name:"explorer.exe")

📊 Metadata

CVE ID: CVE-2024-11517

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: November 22, 2024

Last Updated: November 25, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1597/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11517, you might also want to check these: