CVE-2025-7241 Overview
CVE-2025-7241 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows arbitrary code execution when parsing malformed DWG files. The flaw originates from insufficient validation of user-supplied data within the DWG parsing routines, leading to a memory corruption condition [CWE-119]. An attacker can execute code in the context of the current process by convincing a user to open a crafted DWG file or visit a malicious page hosting one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26087 and disclosed in advisory ZDI-25-489.
Critical Impact
Successful exploitation grants the attacker code execution with the privileges of the user running IrfanView, enabling full compromise of confidentiality, integrity, and availability on the host.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) with the CADImage Plugin installed
- Windows systems processing DWG files via the affected plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7241 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7241
Vulnerability Analysis
The vulnerability resides in the DWG file parsing logic implemented by the CADImage Plugin for IrfanView. DWG is the native binary format used by AutoCAD and related CAD tools, and it contains complex nested structures describing drawing entities. The CADImage Plugin reads these structures to render previews and perform conversions inside IrfanView.
The parser fails to properly validate fields extracted from the DWG file before using them to drive memory operations. Untrusted size, offset, or count values from the file are consumed without sufficient bounds checking, corrupting adjacent memory. This corruption is leveraged to hijack control flow and execute attacker-controlled code in the IrfanView process.
Exploitation requires user interaction. The target must open a malicious DWG file or visit a page that triggers the plugin to parse one. Because IrfanView is commonly associated with image and document handling on Windows endpoints, social engineering via email attachments or download links is a viable delivery channel.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] in the DWG parser. The plugin trusts size and structural metadata embedded in the file rather than validating it against actual buffer allocations.
Attack Vector
The attack vector is local file processing with required user interaction. An attacker delivers a crafted DWG file through email, a watering hole, or a shared workspace. When the user opens the file in IrfanView with the CADImage Plugin enabled, the malformed structures trigger memory corruption and lead to code execution under the user account.
No verified proof-of-concept code is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-489 for additional technical detail.
Detection Methods for CVE-2025-7241
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command shells, scripting engines, or rundll32.exe.
- Crashes or Windows Error Reporting events referencing the CADImage Plugin module during DWG file open operations.
- Inbound DWG attachments or downloads from untrusted sources followed by anomalous IrfanView process activity.
Detection Strategies
- Hunt for IrfanView processes loading the CADImage Plugin DLL and subsequently performing network connections or writing executables to disk.
- Correlate file open telemetry for .dwg extensions with process injection, memory allocation anomalies, or DEP/ASLR-related exceptions in IrfanView.
- Flag DWG files arriving via email or web download that are opened in IrfanView shortly after delivery on user endpoints.
Monitoring Recommendations
- Enable process creation and module load logging on workstations where IrfanView is installed, focusing on plugin DLL paths.
- Monitor for application crashes tied to IrfanView and review crash dumps for signatures of heap or stack corruption.
- Track DWG file ingress through mail gateways and proxies, and alert when uncommon CAD file types appear in non-engineering user mailboxes.
How to Mitigate CVE-2025-7241
Immediate Actions Required
- Inventory endpoints with IrfanView installed and determine whether the CADImage Plugin is present and enabled.
- Disable or remove the CADImage Plugin on systems that do not require DWG support until a fixed version is confirmed.
- Block inbound DWG attachments at the email gateway for user populations that do not handle CAD files.
- Instruct users not to open DWG files received from untrusted senders or downloaded from unverified sources.
Patch Information
No vendor patch URL is listed in the NVD entry at the time of publication. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-489 and the CADSoftTools and IrfanView vendor sites for an updated CADImage Plugin release and apply it across all affected x86 and x64 installations.
Workarounds
- Remove the CADImage Plugin DLL from the IrfanView Plugins directory on endpoints that do not need DWG rendering.
- Restrict file associations so that .dwg files are not opened by IrfanView by default.
- Enforce application allowlisting to prevent IrfanView from launching unsigned child processes or scripting interpreters.
- Run IrfanView under a low-privileged standard user account and enable exploit mitigations such as DEP, ASLR, and CFG via Windows Defender Exploit Guard.
# Example: remove the CADImage plugin DLL on Windows endpoints
powershell -Command "Get-ChildItem -Path 'C:\Program Files\IrfanView\Plugins\' -Filter 'CADImage*.dll' | Remove-Item -Force"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

