CVE-2024-11541 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11541?

CVE-2024-11541 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain full control of the affected system with the same privileges as the user running IrfanView. All users of vulnerable IrfanView versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain full control of the affected system with the same privileges as the user running IrfanView. All users of vulnerable IrfanView versions are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: IrfanView must be configured to handle DXF files, which is common in default installations.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious actors send phishing emails with crafted DXF attachments, leading to malware installation or credential theft when users open the files.

🟢

If Mitigated

Limited impact with proper application sandboxing, user education, and file type restrictions preventing DXF file execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

User interaction required (opening malicious file), but exploitation is straightforward once the file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website
2. Run installer and follow prompts
3. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable DXF file association

windows

Remove IrfanView as default handler for DXF files to prevent automatic opening

Control Panel > Default Programs > Set Associations > Find .dxf > Change to another program

Block DXF files at perimeter

all

Configure email/web gateways to block DXF attachments

🧯 If You Can't Patch

Implement application allowlisting to block IrfanView execution
Deploy endpoint protection with memory corruption detection

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About, verify if below 4.67

Check Version:

Not applicable - check via GUI Help > About

Verify Fix Applied:

Confirm version is 4.67 or higher in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes with DXF files
Unusual child processes spawned from IrfanView

Network Indicators:

Downloads of DXF files from untrusted sources
Outbound connections from IrfanView process

SIEM Query:

Process Creation where Image contains 'i_view' and CommandLine contains '.dxf'

📊 Metadata

CVE ID: CVE-2024-11541

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 22, 2024

Last Updated: November 25, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1552/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11541, you might also want to check these: