Skip to main content
CVE Vulnerability Database

CVE-2025-7239: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7239 is a remote code execution flaw in Cadsofttools Cadimage that enables attackers to execute arbitrary code through malicious DWG files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7239 Overview

CVE-2025-7239 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's parser for AutoCAD Drawing (DWG) files. Attackers can leverage the bug to execute arbitrary code in the context of the IrfanView process. Exploitation requires user interaction: the victim must open a crafted DWG file or visit a malicious page that delivers one. The issue was reported to the Zero Day Initiative under tracking identifier ZDI-CAN-26085 and published as advisory ZDI-25-506. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

A crafted DWG file opened in IrfanView with the CADImage plugin installed can corrupt process memory and lead to arbitrary code execution at the privilege level of the logged-in user.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86) with the CADImage plugin installed
  • IrfanView (x64) with the CADImage plugin installed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7239 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7239

Vulnerability Analysis

The CADImage plugin extends IrfanView with the ability to render CAD formats, including AutoCAD DWG drawings. The vulnerable code path is the DWG parser, which processes attacker-controlled structures from the file without sufficient validation. When the parser consumes malformed length or offset fields, it operates outside the bounds of an allocated buffer and corrupts adjacent memory. Because IrfanView runs the plugin in-process, the resulting corruption is directly reachable from the host application. An attacker who controls the corrupted memory can redirect execution flow to attacker-supplied code. The vulnerability is local in attack vector because the file must be opened by a user, but the file itself can be delivered remotely through email attachments, drive-by downloads, or shared file repositories.

Root Cause

The root cause is missing validation of size and offset fields parsed from DWG records. The plugin trusts attacker-controlled values when computing buffer indices or copy lengths, producing an out-of-bounds memory access consistent with [CWE-119]. Memory corruption in the parsing routine allows overwriting control structures within the same process.

Attack Vector

An attacker crafts a malicious DWG file and induces a user to open it in IrfanView. Opening the file triggers the CADImage plugin, which parses the embedded records and reaches the vulnerable routine. Successful exploitation yields code execution with the privileges of the IrfanView user. Public technical details are available in the Zero Day Initiative Advisory ZDI-25-506.

Detection Methods for CVE-2025-7239

Indicators of Compromise

  • IrfanView (i_view32.exe or i_view64.exe) processes spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe after opening a DWG file.
  • Crash artifacts (WER reports, Application Event Log Faulting module entries) referencing the CADImage plugin DLL during DWG rendering.
  • Inbound DWG files arriving via email, web download, or removable media from untrusted sources.

Detection Strategies

  • Monitor process creation telemetry for IrfanView spawning shells, scripting hosts, or living-off-the-land binaries.
  • Alert on memory access violations or module crashes inside the CADImage plugin loaded by IrfanView.
  • Inspect file write and network connection activity originating from the IrfanView process immediately after a DWG open event.

Monitoring Recommendations

  • Forward endpoint process, image-load, and crash telemetry to a centralized analytics platform and retain it for retrospective hunts.
  • Track installation and version inventory of the CADImage plugin across endpoints to identify unpatched hosts.
  • Apply email and web gateway rules that flag or sandbox DWG attachments delivered from external senders.

How to Mitigate CVE-2025-7239

Immediate Actions Required

  • Identify all endpoints with IrfanView and the CADImage plugin installed, and prioritize them for remediation.
  • Restrict opening of DWG files to trusted sources, and quarantine DWG attachments at the email gateway until patched versions are deployed.
  • Run IrfanView under a standard user account rather than an administrator account to limit the impact of successful exploitation.

Patch Information

At the time of publication, no fixed version is referenced in the NVD entry or the Zero Day Initiative Advisory ZDI-25-506. Administrators should monitor CADSoftTools and IrfanView for updated CADImage plugin releases that address the DWG parsing flaw, and apply them as soon as they become available.

Workarounds

  • Remove or disable the CADImage plugin from IrfanView installations that do not require CAD file support.
  • Block or strip DWG attachments at email and web proxies for users who do not have a legitimate need for them.
  • Apply application control rules that prevent IrfanView from launching child processes such as cmd.exe, powershell.exe, or wscript.exe.
bash
# Example: remove the CADImage plugin DLL from a managed IrfanView install
set IV_DIR="C:\Program Files\IrfanView\Plugins"
if exist %IV_DIR%\CADIMAGE.DLL del /F /Q %IV_DIR%\CADIMAGE.DLL

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.