CVE-2025-7234 Overview
CVE-2025-7234 is an out-of-bounds write vulnerability in the IrfanView CADImage Plugin. The flaw resides in the plugin's parser for Computer Graphics Metafile (CGM) files. Attackers can leverage this issue to execute arbitrary code in the context of the current user process. Exploitation requires user interaction, meaning the target must open a malicious CGM file or visit a page that delivers one. The Zero Day Initiative tracked this issue as ZDI-CAN-26074 before public disclosure as ZDI-25-495.
Critical Impact
Successful exploitation results in arbitrary code execution within the IrfanView process, enabling attackers to compromise endpoints when users open weaponized CGM files.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- Windows endpoints running vulnerable CADImage plugin versions
Discovery Timeline
- 2025-07-21 - CVE-2025-7234 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7234
Vulnerability Analysis
The vulnerability resides in the CGM file parsing logic of the CADImage plugin shipped with IrfanView. CGM is a vector graphics format that encodes drawing primitives through binary command records. The plugin parses these records to render imagery inside IrfanView. The parser fails to properly validate user-supplied length and offset fields when copying data into a fixed-size buffer. As a result, attacker-controlled bytes can be written past the end of the allocated buffer. The flaw is classified as an out-of-bounds write [CWE-787].
Root Cause
The root cause is missing bounds validation on values read directly from the CGM file. The parser trusts size descriptors embedded in malformed records and uses them to drive memory write operations. When an attacker crafts a CGM record with oversized or malformed parameters, the resulting write corrupts adjacent heap or stack memory. Skilled attackers can shape this corruption to overwrite function pointers, return addresses, or object metadata to redirect execution.
Attack Vector
Exploitation is local and user-assisted. An attacker delivers a malicious .cgm file through email, a web download, a shared drive, or a drive-by browser link. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser processes the malformed record and triggers the out-of-bounds write. Code then executes with the privileges of the user running IrfanView. No authentication is required on the target system. Technical details are published in the Zero Day Initiative Advisory ZDI-25-495.
Detection Methods for CVE-2025-7234
Indicators of Compromise
- CGM files (.cgm) arriving through email attachments, web downloads, or shared storage from untrusted sources
- IrfanView (i_view32.exe, i_view64.exe) processes crashing or spawning child processes such as cmd.exe, powershell.exe, or rundll32.exe
- Unexpected writes to user-writable directories or autorun keys following a CGM file open event
- Outbound network connections originating from IrfanView process trees
Detection Strategies
- Monitor process creation events where IrfanView is the parent process of a shell, scripting host, or LOLBin
- Inspect file open telemetry for .cgm files handled by IrfanView, correlating with crash or exception events
- Hunt for module loads of the CADImage plugin DLL followed by anomalous memory allocations
- Apply YARA rules against CGM samples that contain oversized record length fields
Monitoring Recommendations
- Centralize endpoint telemetry covering process lineage, image loads, and file writes from IrfanView
- Alert on IrfanView crash events generated by Windows Error Reporting (WerFault.exe)
- Track email gateway and proxy logs for .cgm attachments and downloads from external senders
How to Mitigate CVE-2025-7234
Immediate Actions Required
- Update the CADImage plugin and IrfanView to the latest vendor-supplied versions once patches are published by CADSoftTools and IrfanView
- Uninstall the CADImage plugin on systems that do not require CGM rendering
- Block inbound .cgm attachments at the email gateway until patched versions are deployed
- Restrict IrfanView execution to a least-privilege user context, removing local administrator rights where possible
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-495 and the CADSoftTools and IrfanView vendor download pages for fixed builds of the CADImage plugin. At the time of NVD publication, the advisory documents the issue but no specific fixed version is listed in the public CVE record. Verify patch status with both vendors before redeploying the plugin.
Workarounds
- Remove or disable the CADImage plugin DLL from the IrfanView Plugins directory to eliminate the vulnerable code path
- Change the default file association for .cgm files away from IrfanView
- Apply Windows Attack Surface Reduction rules that block IrfanView from launching child processes
- Open untrusted CGM files only inside an isolated sandbox or virtual machine
# Example: remove the CADImage plugin from a Windows host
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
# Block .cgm attachments at an Exchange transport rule (PowerShell)
New-TransportRule -Name "Block CGM Attachments" `
-AttachmentExtensionMatchesWords "cgm" `
-RejectMessageReasonText "CGM attachments are blocked pending CVE-2025-7234 remediation."
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

