CVE-2025-9274 Overview
CVE-2025-9274 is an uninitialized pointer vulnerability in Oxford Instruments Imaris Viewer. The flaw exists in the application's IMS file parsing logic. Attackers can leverage this vulnerability to execute arbitrary code in the context of the current user process. Exploitation requires a victim to open a malicious IMS file or visit a malicious page that delivers one. The Zero Day Initiative tracked this issue internally as ZDI-CAN-21657 and published it as advisory ZDI-25-853. The vulnerability is classified under [CWE-824] (Access of Uninitialized Pointer).
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running Imaris Viewer, enabling endpoint compromise through a single malicious IMS file.
Affected Products
- Oxford Instruments Imaris Viewer 10.0.1
- Workstations used by researchers for microscopy image analysis
- Systems where users open IMS files from untrusted sources
Discovery Timeline
- 2025-09-02 - CVE-2025-9274 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-9274
Vulnerability Analysis
The vulnerability resides in the routine that parses Imaris Scene (IMS) files. Imaris Viewer reads structured data from IMS files to render three-dimensional microscopy datasets. During parsing, the application accesses a pointer before properly initializing it. An attacker who controls the contents of the IMS file can influence the value referenced by this pointer.
Dereferencing an uninitialized pointer with attacker-controlled data allows the attacker to redirect execution. The result is arbitrary code execution within the Imaris Viewer process. The vulnerability requires local access in the form of file delivery, and user interaction is required to trigger the parser.
Root Cause
The root cause is failure to initialize a pointer to a safe default before it is dereferenced during IMS file parsing. This is consistent with [CWE-824], Access of Uninitialized Pointer. The parser assumes the pointer holds a valid object reference, but when a crafted IMS file omits or malforms the relevant structure, the pointer retains residual stack or heap memory contents.
Attack Vector
An attacker crafts a malicious .ims file containing manipulated metadata or structural fields that prevent normal pointer initialization. The attacker delivers the file through email, a shared file repository, or a web page hosting the file. When the victim opens the file in Imaris Viewer, the parser dereferences the uninitialized pointer and transfers execution to attacker-influenced memory. Code then runs with the user's privileges.
For technical specifics, refer to the Zero Day Initiative Advisory ZDI-25-853.
Detection Methods for CVE-2025-9274
Indicators of Compromise
- Unexpected child processes spawned by ImarisViewer.exe such as command shells, scripting hosts, or LOLBins
- IMS files received from external email addresses, web downloads, or removable media before a crash or anomalous process tree
- Crash dumps or Windows Error Reporting events referencing Imaris Viewer modules during IMS file load
- Outbound network connections originating from the Imaris Viewer process to non-Oxford Instruments domains
Detection Strategies
- Monitor process creation events where the parent image is ImarisViewer.exe and the child is a shell, scripting engine, or unsigned binary
- Alert on Imaris Viewer making network connections, since the viewer is primarily an offline image analysis tool
- Inspect file write activity by Imaris Viewer outside expected scratch and project directories
- Hunt for IMS files dropped into user download or temp directories shortly before Imaris Viewer process anomalies
Monitoring Recommendations
- Enable command-line and process tree logging on workstations running scientific imaging software
- Forward endpoint telemetry to a centralized data lake for correlation across hosts in research environments
- Track file-open telemetry for .ims extensions and tag files originating from outside the organization
- Apply application allowlisting controls to prevent child processes spawned from Imaris Viewer when not required
How to Mitigate CVE-2025-9274
Immediate Actions Required
- Restrict opening of IMS files to those originating from trusted internal sources and verified collaborators
- Block inbound .ims attachments at the email gateway pending vendor patch validation
- Remove or restrict Imaris Viewer 10.0.1 from systems where it is not actively required
- Educate research staff to validate the origin of any IMS file before opening it in Imaris Viewer
Patch Information
No fixed version is documented in the available references at the time of writing. Consult the Zero Day Initiative Advisory ZDI-25-853 and Oxford Instruments support channels for the latest patched build of Imaris Viewer and apply it as soon as it is released.
Workarounds
- Open IMS files only inside isolated virtual machines or sandboxed environments without network access
- Run Imaris Viewer under a standard user account with no administrative privileges to limit post-exploitation impact
- Use endpoint protection to enforce process-level network egress rules on ImarisViewer.exe
- Disable file association handlers that auto-launch Imaris Viewer when IMS files are double-clicked from browsers or email clients
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

