CVE-2017-15747 in IrfanView
Summary
by MITRE
IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to a "Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000700b00260112 called from CADIMAGE+0x00000000003d35ad."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/08/2026
This vulnerability affects IrfanView version 4.50 64-bit when used with the CADImage plugin version 12.0.0.5, presenting a critical security risk that enables remote code execution or denial of service through maliciously crafted .dwg files. The flaw manifests as a data execution prevention violation occurring at an unknown symbol address 0x0000700b00260112 within the CADIMAGE module, with the execution flow originating from CADIMAGE+0x00000000003d35ad. This represents a classic stack-based buffer overflow condition that bypasses modern exploit mitigation mechanisms including data execution prevention and address space layout randomization. The vulnerability stems from inadequate input validation within the CADImage plugin's handling of Autodesk DWG file formats, specifically when processing malformed header structures or embedded data sequences. Attackers can exploit this weakness by crafting specially designed .dwg files that trigger memory corruption during the parsing process, leading to arbitrary code execution with the privileges of the affected user or application context. The issue falls under CWE-121 Stack-based Buffer Overflow, which is categorized under the broader category of CWE-119 Improper Access to Memory During Buffer Overflow. From an operational perspective, this vulnerability presents a significant risk in environments where users frequently open files from untrusted sources, particularly in corporate settings where IrfanView is commonly used for document review or image processing tasks. The exploitation requires minimal user interaction beyond opening the malicious file, making it particularly dangerous in phishing campaigns or targeted attacks. The vulnerability's impact extends beyond simple code execution to include potential system compromise, data exfiltration, and privilege escalation opportunities. Organizations using IrfanView with CADImage plugin should consider immediate mitigation strategies including disabling the CADImage plugin, implementing strict file validation policies, and deploying application whitelisting solutions. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, as it enables attackers to execute malicious code with elevated privileges. System administrators should also monitor for unusual process behavior, memory access patterns, and potential exploitation attempts through network-based intrusion detection systems. The vulnerability demonstrates the critical importance of proper input validation and memory management in third-party plugins, as the CADImage component fails to adequately sanitize user-supplied data before processing. This flaw represents a failure in software security practices and highlights the need for comprehensive security testing of plugin architectures and third-party components. The exploitation of such vulnerabilities often leads to broader compromise of systems, as attackers can leverage the initial foothold to establish persistent access and move laterally within networks. Regular security updates and patch management procedures become crucial in mitigating risks associated with such memory corruption vulnerabilities in widely used applications.