CVE-2024-11535 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11535?

CVE-2024-11535 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. The flaw exists in DXF file parsing where improper bounds checking enables out-of-bounds reads that can lead to remote code execution. All users running vulnerable versions of IrfanView are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. The flaw exists in DXF file parsing where improper bounds checking enables out-of-bounds reads that can lead to remote code execution. All users running vulnerable versions of IrfanView are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions where IrfanView is installed and configured to handle DXF files are vulnerable by default.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or system compromise when users open malicious DXF files, potentially leading to malware installation or credential theft.

🟢

If Mitigated

Limited impact with proper application sandboxing and user education preventing successful exploitation attempts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and weaponization is likely given the RCE potential.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website 2. Run installer 3. Follow installation prompts 4. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable DXF file association

windows

Remove IrfanView as default handler for DXF files to prevent automatic exploitation

Control Panel > Default Programs > Set Associations > Find .DXF > Change to another program

Application sandboxing

windows

Run IrfanView in restricted environment to limit potential damage

🧯 If You Can't Patch

Implement strict file type filtering to block DXF files at network perimeter
Deploy application control policies to restrict IrfanView execution in high-risk environments

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About, versions below 4.67 are vulnerable

Check Version:

irfanview.exe /?

Verify Fix Applied:

Confirm version is 4.67 or higher in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs with DXF file references
Windows Application Error logs mentioning IrfanView process crashes

Network Indicators:

Unusual DXF file downloads to user workstations
Outbound connections from IrfanView process post-DXF file opening

SIEM Query:

process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND file_extension:".dxf" AND (event_type:crash OR parent_process:explorer.exe)

📊 Metadata

CVE ID: CVE-2024-11535

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: November 22, 2024

Last Updated: November 25, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1584/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11535, you might also want to check these: