CVE-2025-7243 Overview
CVE-2025-7243 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's handling of DWG files and stems from insufficient validation of user-supplied data [CWE-119]. An attacker who convinces a user to open a crafted DWG file or visit a malicious page can trigger memory corruption and execute arbitrary code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26091 and disclosed as ZDI-25-491.
Critical Impact
Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with the CADImage plugin installed
- Windows systems processing DWG files through the affected plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7243 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7243
Vulnerability Analysis
The vulnerability exists in the DWG file parser implemented by the CADImage plugin. DWG is a binary CAD file format containing structured records, headers, and object data. The parser reads attacker-controlled fields from the file without enforcing proper bounds or type checks before using those values to allocate, read, or write memory. This category of flaw falls under [CWE-119], improper restriction of operations within the bounds of a memory buffer.
When the malformed DWG is processed, the corrupted memory state can be steered to overwrite control data or function pointers. An attacker who controls the layout of the crafted file can achieve arbitrary code execution within the IrfanView process. The vulnerability requires user interaction, but DWG files are routinely shared across engineering and design workflows, making social engineering practical.
Root Cause
The root cause is the absence of input validation on user-supplied fields parsed from DWG structures. Length values, offsets, or object descriptors are trusted and used directly in memory operations, producing an out-of-bounds or otherwise corrupting access. Full technical details are documented in the Zero Day Initiative Advisory ZDI-25-491.
Attack Vector
Exploitation requires a victim to open a malicious DWG file in IrfanView with the CADImage plugin loaded, or to visit a page that delivers such a file. No authentication is required. Because IrfanView runs in user context, the attacker inherits that user's privileges, which is often sufficient for credential theft, lateral movement, or staging follow-on payloads.
// No verified public proof-of-concept is available.
// See ZDI-25-491 for technical details on the DWG parsing flaw.
Detection Methods for CVE-2025-7243
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- DWG files arriving from untrusted email, chat, or web sources and opened directly in IrfanView.
- Crashes or Windows Error Reporting events referencing the CADImage plugin module within IrfanView.
Detection Strategies
- Hunt for IrfanView processes loading the CADImage plugin DLL and subsequently performing network connections or writing executables to disk.
- Inspect DWG files for malformed headers, oversized object records, or anomalous offset fields prior to user access.
- Correlate file-open telemetry for .dwg extensions with subsequent process creation events under the IrfanView parent.
Monitoring Recommendations
- Enable command-line and image-load logging on endpoints that have IrfanView installed.
- Forward EDR process, module-load, and file-write telemetry to a centralized analytics platform for rule-based and behavioral analysis.
- Alert on IrfanView writing to autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run or the user Startup folder.
How to Mitigate CVE-2025-7243
Immediate Actions Required
- Inventory endpoints running IrfanView and identify systems with the CADImage plugin installed.
- Remove or disable the CADImage plugin on hosts that do not require DWG support.
- Block inbound DWG attachments at email and web gateways until patched versions are deployed.
- Instruct users to avoid opening DWG files from untrusted sources in IrfanView.
Patch Information
No vendor advisory URL is published in the NVD record beyond the Zero Day Initiative Advisory ZDI-25-491. Administrators should monitor the IrfanView and CADSoftTools download pages for updated plugin builds and apply the fixed version as soon as it is released.
Workarounds
- Uninstall the CADImage plugin from IrfanView if DWG viewing is not required.
- Associate .dwg files with a sandboxed or hardened CAD application instead of IrfanView.
- Restrict execution of IrfanView under standard user accounts and apply application-level isolation such as Windows Defender Application Guard or AppLocker policies.
# PowerShell: enumerate IrfanView installations and CADImage plugin presence
Get-ChildItem -Path 'C:\Program Files\IrfanView\Plugins','C:\Program Files (x86)\IrfanView\Plugins' -Filter 'CADImage*' -ErrorAction SilentlyContinue |
Select-Object FullName, Length, LastWriteTime
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

