CVE-2024-11547
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView when users open malicious DWG files. Attackers can gain control of the affected system with the same privileges as the user running IrfanView. All IrfanView users who process DWG files are potentially affected.
💻 Affected Systems
- IrfanView
📦 What is this software?
Irfanview by Irfanview
Irfanview by Irfanview
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local user account compromise leading to data exfiltration, credential theft, or installation of additional malware.
If Mitigated
Limited impact if running with minimal privileges, but still potential for user data compromise.
🎯 Exploit Status
Exploitation requires user interaction to open malicious DWG file. The vulnerability is in a widely used component and has been publicly disclosed with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IrfanView 4.67 and later
Vendor Advisory: https://www.irfanview.com/main_history.htm
Restart Required: No
Instructions:
1. Download IrfanView 4.67 or later from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version in Help > About.
🔧 Temporary Workarounds
Disable DWG file association
windowsRemove IrfanView as default handler for DWG files to prevent automatic opening
Control Panel > Default Programs > Set Associations > Find .dwg > Change program
Block DWG files at perimeter
allConfigure email and web gateways to block or quarantine DWG attachments
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Run IrfanView with restricted user privileges using application sandboxing
🔍 How to Verify
Check if Vulnerable:
Open IrfanView, go to Help > About, check if version is earlier than 4.67Check Version:
irfanview.exe /?Verify Fix Applied:
Confirm IrfanView version is 4.67 or later in Help > About📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs with DWG file references
- Windows Application Event Logs with IrfanView faulting module errors
Network Indicators:
- Downloads of DWG files from untrusted sources
- Outbound connections from IrfanView process to suspicious IPs
SIEM Query:
process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (file_extension:".dwg" OR file_name:"*.dwg")