Skip to main content
CVE Vulnerability Database

CVE-2025-7243: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7243 is a remote code execution vulnerability in Cadsofttools Cadimage affecting DWG file parsing. Attackers can exploit memory corruption to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-7243 Overview

CVE-2025-7243 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's handling of DWG files and stems from insufficient validation of user-supplied data [CWE-119]. An attacker who convinces a user to open a crafted DWG file or visit a malicious page can trigger memory corruption and execute arbitrary code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26091 and disclosed as ZDI-25-491.

Critical Impact

Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling full compromise of confidentiality, integrity, and availability on the affected host.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) with the CADImage plugin installed
  • Windows systems processing DWG files through the affected plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7243 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7243

Vulnerability Analysis

The vulnerability exists in the DWG file parser implemented by the CADImage plugin. DWG is a binary CAD file format containing structured records, headers, and object data. The parser reads attacker-controlled fields from the file without enforcing proper bounds or type checks before using those values to allocate, read, or write memory. This category of flaw falls under [CWE-119], improper restriction of operations within the bounds of a memory buffer.

When the malformed DWG is processed, the corrupted memory state can be steered to overwrite control data or function pointers. An attacker who controls the layout of the crafted file can achieve arbitrary code execution within the IrfanView process. The vulnerability requires user interaction, but DWG files are routinely shared across engineering and design workflows, making social engineering practical.

Root Cause

The root cause is the absence of input validation on user-supplied fields parsed from DWG structures. Length values, offsets, or object descriptors are trusted and used directly in memory operations, producing an out-of-bounds or otherwise corrupting access. Full technical details are documented in the Zero Day Initiative Advisory ZDI-25-491.

Attack Vector

Exploitation requires a victim to open a malicious DWG file in IrfanView with the CADImage plugin loaded, or to visit a page that delivers such a file. No authentication is required. Because IrfanView runs in user context, the attacker inherits that user's privileges, which is often sufficient for credential theft, lateral movement, or staging follow-on payloads.

// No verified public proof-of-concept is available.
// See ZDI-25-491 for technical details on the DWG parsing flaw.

Detection Methods for CVE-2025-7243

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
  • DWG files arriving from untrusted email, chat, or web sources and opened directly in IrfanView.
  • Crashes or Windows Error Reporting events referencing the CADImage plugin module within IrfanView.

Detection Strategies

  • Hunt for IrfanView processes loading the CADImage plugin DLL and subsequently performing network connections or writing executables to disk.
  • Inspect DWG files for malformed headers, oversized object records, or anomalous offset fields prior to user access.
  • Correlate file-open telemetry for .dwg extensions with subsequent process creation events under the IrfanView parent.

Monitoring Recommendations

  • Enable command-line and image-load logging on endpoints that have IrfanView installed.
  • Forward EDR process, module-load, and file-write telemetry to a centralized analytics platform for rule-based and behavioral analysis.
  • Alert on IrfanView writing to autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run or the user Startup folder.

How to Mitigate CVE-2025-7243

Immediate Actions Required

  • Inventory endpoints running IrfanView and identify systems with the CADImage plugin installed.
  • Remove or disable the CADImage plugin on hosts that do not require DWG support.
  • Block inbound DWG attachments at email and web gateways until patched versions are deployed.
  • Instruct users to avoid opening DWG files from untrusted sources in IrfanView.

Patch Information

No vendor advisory URL is published in the NVD record beyond the Zero Day Initiative Advisory ZDI-25-491. Administrators should monitor the IrfanView and CADSoftTools download pages for updated plugin builds and apply the fixed version as soon as it is released.

Workarounds

  • Uninstall the CADImage plugin from IrfanView if DWG viewing is not required.
  • Associate .dwg files with a sandboxed or hardened CAD application instead of IrfanView.
  • Restrict execution of IrfanView under standard user accounts and apply application-level isolation such as Windows Defender Application Guard or AppLocker policies.
bash
# PowerShell: enumerate IrfanView installations and CADImage plugin presence
Get-ChildItem -Path 'C:\Program Files\IrfanView\Plugins','C:\Program Files (x86)\IrfanView\Plugins' -Filter 'CADImage*' -ErrorAction SilentlyContinue |
  Select-Object FullName, Length, LastWriteTime

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.