Skip to main content
CVE Vulnerability Database

CVE-2025-9275: Oxinst Imaris Viewer RCE Vulnerability

CVE-2025-9275 is a remote code execution vulnerability in Oxinst Imaris Viewer caused by improper IMS file parsing. Attackers can exploit this out-of-bounds write flaw to execute code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9275 Overview

CVE-2025-9275 is an out-of-bounds write vulnerability [CWE-787] in Oxford Instruments Imaris Viewer. The flaw resides in the parser that processes IMS files. Attackers can leverage the issue to execute arbitrary code in the context of the current user. Exploitation requires the victim to open a crafted IMS file or visit a malicious page that delivers one. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-21655 and published as advisory ZDI-25-854. Imaris Viewer is widely used in life-sciences and microscopy environments, making targeted phishing a realistic delivery method against research organizations.

Critical Impact

A single malicious IMS file can trigger arbitrary code execution in the context of the Imaris Viewer process, leading to full compromise of the user account.

Affected Products

  • Oxford Instruments Imaris Viewer 10.0.1
  • Earlier versions of Imaris Viewer that share the vulnerable IMS parsing code path
  • Workstations and analyst environments that process third-party IMS files

Discovery Timeline

  • 2025-09-02 - CVE-2025-9275 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database
  • Reference - Zero Day Initiative advisory ZDI-25-854 (ZDI-CAN-21655)

Technical Details for CVE-2025-9275

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] in the IMS file parser used by Imaris Viewer. IMS is a hierarchical container format derived from HDF5 that stores multidimensional microscopy data. The parser reads attacker-controlled length and offset fields from the IMS file and uses them to populate an internal data structure. Because the parser does not validate these values against the size of the destination buffer, a crafted IMS file forces writes beyond the allocated region. Attackers can corrupt adjacent heap metadata, function pointers, or object virtual tables to redirect execution. Successful exploitation yields code execution under the privileges of the user running Imaris Viewer.

Root Cause

The root cause is missing bounds validation of user-supplied size and index fields before they are used in memory write operations. The parser trusts metadata embedded in the IMS file rather than constraining writes to the actual buffer allocation. This pattern matches the classic out-of-bounds write weakness described in CWE-787.

Attack Vector

Exploitation requires user interaction. A target must open a malicious IMS file received by email, downloaded from a shared drive, or staged on a web page. The attack vector is local, but delivery is straightforward in research collaboration workflows where IMS files are routinely exchanged between labs. No authentication or elevated privileges are required for the attacker to weaponize the file.

No public proof-of-concept code is available. Refer to the Zero Day Initiative advisory ZDI-25-854 for additional technical context.

Detection Methods for CVE-2025-9275

Indicators of Compromise

  • IMS files received from untrusted sources, especially outside established research collaborations
  • Unexpected child processes spawned by ImarisViewer.exe such as cmd.exe, powershell.exe, or rundll32.exe
  • Imaris Viewer crashes with access-violation exceptions logged in Windows Application Event Log
  • Outbound network connections originating from the Imaris Viewer process to unknown hosts

Detection Strategies

  • Hunt for process-tree anomalies where Imaris Viewer is the parent of script interpreters or living-off-the-land binaries
  • Monitor file-write events by ImarisViewer.exe outside its normal working directories
  • Inspect IMS files for malformed HDF5 headers and oversized length fields using static parsing tools

Monitoring Recommendations

  • Enable command-line and process-creation logging on workstations that handle IMS files
  • Forward endpoint telemetry to a centralized data lake to correlate file-open events with subsequent process executions
  • Alert on Imaris Viewer crash signatures, since exploitation attempts often produce telltale heap-corruption faults

How to Mitigate CVE-2025-9275

Immediate Actions Required

  • Inventory all systems running Oxford Instruments Imaris Viewer and confirm the installed version
  • Restrict opening of IMS files to those received from verified, trusted collaborators
  • Apply the vendor update as soon as it is available from Oxford Instruments
  • Educate analysts and researchers on the phishing risk posed by unsolicited IMS attachments

Patch Information

No fixed version is referenced in the NVD entry at the time of publication. Consult the Zero Day Initiative advisory ZDI-25-854 and the Oxford Instruments support portal for the latest patched build of Imaris Viewer.

Workarounds

  • Block inbound IMS file attachments at the mail gateway until patched builds are deployed
  • Run Imaris Viewer under a low-privilege standard user account rather than an administrator account
  • Use application allowlisting to prevent Imaris Viewer from spawning shells or scripting hosts
  • Open untrusted IMS files only inside an isolated virtual machine without network access

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.