CVE-2025-9275 Overview
CVE-2025-9275 is an out-of-bounds write vulnerability [CWE-787] in Oxford Instruments Imaris Viewer. The flaw resides in the parser that processes IMS files. Attackers can leverage the issue to execute arbitrary code in the context of the current user. Exploitation requires the victim to open a crafted IMS file or visit a malicious page that delivers one. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-21655 and published as advisory ZDI-25-854. Imaris Viewer is widely used in life-sciences and microscopy environments, making targeted phishing a realistic delivery method against research organizations.
Critical Impact
A single malicious IMS file can trigger arbitrary code execution in the context of the Imaris Viewer process, leading to full compromise of the user account.
Affected Products
- Oxford Instruments Imaris Viewer 10.0.1
- Earlier versions of Imaris Viewer that share the vulnerable IMS parsing code path
- Workstations and analyst environments that process third-party IMS files
Discovery Timeline
- 2025-09-02 - CVE-2025-9275 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
- Reference - Zero Day Initiative advisory ZDI-25-854 (ZDI-CAN-21655)
Technical Details for CVE-2025-9275
Vulnerability Analysis
The vulnerability is an out-of-bounds write [CWE-787] in the IMS file parser used by Imaris Viewer. IMS is a hierarchical container format derived from HDF5 that stores multidimensional microscopy data. The parser reads attacker-controlled length and offset fields from the IMS file and uses them to populate an internal data structure. Because the parser does not validate these values against the size of the destination buffer, a crafted IMS file forces writes beyond the allocated region. Attackers can corrupt adjacent heap metadata, function pointers, or object virtual tables to redirect execution. Successful exploitation yields code execution under the privileges of the user running Imaris Viewer.
Root Cause
The root cause is missing bounds validation of user-supplied size and index fields before they are used in memory write operations. The parser trusts metadata embedded in the IMS file rather than constraining writes to the actual buffer allocation. This pattern matches the classic out-of-bounds write weakness described in CWE-787.
Attack Vector
Exploitation requires user interaction. A target must open a malicious IMS file received by email, downloaded from a shared drive, or staged on a web page. The attack vector is local, but delivery is straightforward in research collaboration workflows where IMS files are routinely exchanged between labs. No authentication or elevated privileges are required for the attacker to weaponize the file.
No public proof-of-concept code is available. Refer to the Zero Day Initiative advisory ZDI-25-854 for additional technical context.
Detection Methods for CVE-2025-9275
Indicators of Compromise
- IMS files received from untrusted sources, especially outside established research collaborations
- Unexpected child processes spawned by ImarisViewer.exe such as cmd.exe, powershell.exe, or rundll32.exe
- Imaris Viewer crashes with access-violation exceptions logged in Windows Application Event Log
- Outbound network connections originating from the Imaris Viewer process to unknown hosts
Detection Strategies
- Hunt for process-tree anomalies where Imaris Viewer is the parent of script interpreters or living-off-the-land binaries
- Monitor file-write events by ImarisViewer.exe outside its normal working directories
- Inspect IMS files for malformed HDF5 headers and oversized length fields using static parsing tools
Monitoring Recommendations
- Enable command-line and process-creation logging on workstations that handle IMS files
- Forward endpoint telemetry to a centralized data lake to correlate file-open events with subsequent process executions
- Alert on Imaris Viewer crash signatures, since exploitation attempts often produce telltale heap-corruption faults
How to Mitigate CVE-2025-9275
Immediate Actions Required
- Inventory all systems running Oxford Instruments Imaris Viewer and confirm the installed version
- Restrict opening of IMS files to those received from verified, trusted collaborators
- Apply the vendor update as soon as it is available from Oxford Instruments
- Educate analysts and researchers on the phishing risk posed by unsolicited IMS attachments
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Consult the Zero Day Initiative advisory ZDI-25-854 and the Oxford Instruments support portal for the latest patched build of Imaris Viewer.
Workarounds
- Block inbound IMS file attachments at the mail gateway until patched builds are deployed
- Run Imaris Viewer under a low-privilege standard user account rather than an administrator account
- Use application allowlisting to prevent Imaris Viewer from spawning shells or scripting hosts
- Open untrusted IMS files only inside an isolated virtual machine without network access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

