CVE-2024-5875 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-5875?

CVE-2024-5875 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious SHP files in IrfanView. The flaw exists in SHP file parsing where improper data validation leads to buffer overflow. All IrfanView users who open untrusted SHP files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious SHP files in IrfanView. The flaw exists in SHP file parsing where improper data validation leads to buffer overflow. All IrfanView users who open untrusted SHP files are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions where IrfanView is installed and SHP file association exists. Vulnerability requires user interaction to open malicious file.

📦 What is this software?

Formats by Irfanview

View all CVEs affecting Formats →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware execution in user context, potentially leading to credential theft, lateral movement, or data exfiltration from the compromised system.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only application crash or denial of service.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to open malicious SHP file. No authentication needed beyond file access. Weaponization likely due to RCE nature and low complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website 2. Run installer 3. Follow installation prompts 4. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable SHP file association

windows

Remove IrfanView as default handler for SHP files to prevent automatic exploitation

Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .shp

Block SHP files at perimeter

all

Configure email/web gateways to block SHP file attachments

🧯 If You Can't Patch

Run IrfanView with restricted user privileges (non-admin account)
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. If version is below 4.67, system is vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify IrfanView version is 4.67 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes with SHP files
Unusual child processes spawned from IrfanView
SHP file access from untrusted sources

Network Indicators:

Outbound connections from IrfanView process to suspicious IPs
DNS queries for known C2 domains from IrfanView context

SIEM Query:

Process Creation where (Image contains 'irfanview' AND CommandLine contains '.shp') OR (ParentImage contains 'irfanview' AND NOT Image contains common_whitelist)

📊 Metadata

CVE ID: CVE-2024-5875

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: November 22, 2024

Last Updated: August 7, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-668/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5875, you might also want to check these: