Skip to main content
CVE Vulnerability Database

CVE-2025-7242: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7242 is a remote code execution vulnerability in Cadsofttools Cadimage that exploits DWG file parsing flaws. Attackers can execute arbitrary code when users open malicious files. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-7242 Overview

CVE-2025-7242 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution when parsing crafted DWG files. The flaw resides in the DWG file parser, which fails to properly validate user-supplied data before reading from an allocated buffer. Attackers can leverage the condition to execute code in the context of the current process running IrfanView. Exploitation requires the target user to open a malicious DWG file or visit a page delivering one. The vulnerability was originally tracked by the Zero Day Initiative as ZDI-CAN-26088 and disclosed publicly as ZDI-25-490.

Critical Impact

Successful exploitation grants arbitrary code execution in the context of the IrfanView process, allowing attackers to compromise the host through a single malicious DWG file.

Affected Products

  • IrfanView (x86 and x64 builds)
  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7242 published to NVD with Zero Day Initiative advisory ZDI-25-490
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7242

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] within the CADImage plugin used by IrfanView to render DWG (AutoCAD Drawing) files. When the parser processes structures inside a DWG file, it trusts length or offset fields supplied by the file without verifying them against the bounds of the allocated buffer. A crafted file causes the parser to read memory past the end of that buffer.

Because the read can be steered by attacker-controlled fields, adversaries can influence which memory is disclosed and how the resulting data is interpreted. Combined with predictable heap layouts and secondary parsing logic, the primary read primitive can be chained into arbitrary code execution in the IrfanView process. Exploitation runs at the privilege level of the user opening the file, which on typical workstations is sufficient to install persistence, harvest credentials, or move laterally.

Root Cause

The root cause is missing validation of user-supplied data during DWG parsing. The CADImage plugin dereferences offsets or reads length-prefixed fields without ensuring the resulting access remains inside the allocated buffer. The specifics are documented in the Zero Day Initiative Advisory ZDI-25-490.

Attack Vector

The attack requires user interaction. A victim must open a malicious DWG file in IrfanView, or open one delivered through a browser, email attachment, or file share where IrfanView is the default handler. No authentication or elevated privileges are required by the attacker. The scope remains within the IrfanView process, but code execution in that context is sufficient to compromise the user account.

Exploitation code for CVE-2025-7242 is not described in the public advisory. Refer to the ZDI advisory for reproduction details.

Detection Methods for CVE-2025-7242

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, especially command interpreters (cmd.exe, powershell.exe) or script hosts (wscript.exe, mshta.exe).
  • DWG files delivered from untrusted email attachments, chat, or web downloads that trigger IrfanView launches.
  • Crash events or Windows Error Reporting entries referencing the CADImage plugin module during DWG rendering.

Detection Strategies

  • Monitor endpoint telemetry for IrfanView opening DWG files followed by process creation, memory allocation with executable permissions, or outbound network connections.
  • Alert on module loads of the CADImage plugin binary immediately preceding process crashes tied to access violations.
  • Correlate email and web gateway logs for inbound DWG files with subsequent execution events on the same host.

Monitoring Recommendations

  • Enable command-line auditing and Sysmon Event IDs 1 (process create) and 11 (file create) to capture DWG delivery and IrfanView execution chains.
  • Baseline normal IrfanView behavior on engineering workstations to reduce false positives from legitimate CAD viewing.
  • Review file quarantine logs for DWG files flagged by content inspection or sandbox detonation.

How to Mitigate CVE-2025-7242

Immediate Actions Required

  • Update IrfanView and the CADImage Plugin to the latest versions released after the ZDI-25-490 advisory.
  • Restrict IrfanView as the default handler for DWG files on hosts that do not require CAD viewing.
  • Instruct users not to open DWG files from untrusted sources until patching is confirmed.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-490 for vendor coordination status. Apply the latest CADImage plugin update from CADSoftTools and the newest IrfanView release. Verify the CADImage plugin DLL version after installation, as the plugin ships separately from the main IrfanView installer.

Workarounds

  • Remove or disable the CADImage plugin (CADIMAGE.DLL) from the IrfanView Plugins directory if DWG support is not required.
  • Block inbound DWG file attachments at the email gateway for user groups that do not handle CAD data.
  • Enforce application allowlisting to prevent IrfanView from spawning script interpreters or shells.
bash
# Configuration example: remove the CADImage plugin on Windows endpoints
del "%ProgramFiles%\IrfanView\Plugins\CADIMAGE.DLL"
del "%ProgramFiles(x86)%\IrfanView\Plugins\CADIMAGE.DLL"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.