Skip to main content
CVE Vulnerability Database

CVE-2025-7240: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7240 is a remote code execution vulnerability in Cadsofttools Cadimage DWG file parser that allows attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7240 Overview

CVE-2025-7240 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the parsing logic for DWG files and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious DWG file or visit a page that delivers one. The Zero Day Initiative tracks the issue as ZDI-CAN-26086 and published advisory ZDI-25-488.

Critical Impact

Successful exploitation grants arbitrary code execution within the IrfanView process, enabling attackers to deploy malware, steal data, or pivot to additional systems.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations bundling the CADImage plugin
  • Any workflow that processes untrusted DWG files through the plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7240 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7240

Vulnerability Analysis

The vulnerability resides in the DWG file parser shipped with the CADImage plugin. DWG is a proprietary binary format used by AutoCAD and compatible tools to store 2D and 3D design data. The parser reads structured records from the file, including headers, object tables, and geometric entities. When the plugin processes a crafted DWG file, malformed length or offset fields cause the code to access memory outside the bounds of the intended buffer.

This memory corruption condition can overwrite adjacent data structures, function pointers, or return addresses on the stack or heap. An attacker who controls the corrupted memory can redirect execution into attacker-supplied shellcode or chain existing gadgets through return-oriented programming. The vulnerability falls under [CWE-119]: Improper Restriction of Operations within the Bounds of a Memory Buffer.

Root Cause

The parser fails to validate field sizes and offsets against the actual file length before performing read or write operations. Without these checks, attacker-controlled values in the DWG structure drive pointer arithmetic and buffer accesses, leading to out-of-bounds reads or writes inside the plugin's address space.

Attack Vector

The attack vector is local but does not require authentication. An attacker delivers a malicious DWG file through email, a download link, a USB drive, or a compromised website. When the victim opens the file with IrfanView using the CADImage plugin, the parser triggers the corruption and the attacker gains code execution at the privilege level of the user running IrfanView.

No verified exploit code is publicly available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-488.

Detection Methods for CVE-2025-7240

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe
  • Crashes in IrfanView correlated with the opening of .dwg files, visible in Windows Event Log entries for Application Error
  • Outbound network connections initiated by the IrfanView process shortly after a file open event
  • Newly written executables or scripts in user-writable directories following a DWG file open

Detection Strategies

  • Hunt for process lineage where IrfanView launches command interpreters or scripting hosts, which is not expected behavior for an image viewer
  • Inspect email gateways and web proxies for .dwg attachments originating from untrusted senders or domains
  • Use behavioral endpoint telemetry to identify memory protection violations and access violations inside the IrfanView process

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard or equivalent exploit mitigations on hosts running IrfanView and forward alerts to the SIEM
  • Capture DWG file hashes seen in the environment and correlate against threat intelligence feeds
  • Monitor file system writes in user profile directories that follow execution of IrfanView with a DWG argument

How to Mitigate CVE-2025-7240

Immediate Actions Required

  • Restrict opening of DWG files in IrfanView to trusted sources until a patched plugin version is deployed
  • Remove or disable the CADImage plugin from IrfanView installations that do not require DWG support
  • Enforce application control policies that block IrfanView from spawning command interpreters or scripting engines
  • Train users to treat unsolicited DWG attachments as suspicious, given that exploitation requires user interaction

Patch Information

At the time of NVD publication, no vendor patch URL is listed in the CVE record. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-488 and the CADSoftTools and IrfanView download pages for an updated CADImage plugin release that addresses the DWG parsing flaw. Apply the updated plugin to all x86 and x64 IrfanView deployments once available.

Workarounds

  • Uninstall the CADImage plugin from IrfanView until a fixed version is released
  • Remove the .dwg file association from IrfanView to prevent automatic handling of malicious files
  • Open untrusted CAD files only inside isolated sandboxes or disposable virtual machines
  • Apply Windows file system permissions that prevent IrfanView from writing to sensitive directories
bash
# Remove DWG file association for IrfanView on Windows (run as administrator)
assoc .dwg=
ftype IrfanView.DWG=

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.