Skip to main content
CVE Vulnerability Database

CVE-2025-7244: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7244 is a remote code execution vulnerability in Cadsofttools Cadimage that allows attackers to execute arbitrary code through malicious DWG files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7244 Overview

CVE-2025-7244 is a memory corruption vulnerability in the IrfanView CADImage Plugin from Cadsofttools. The flaw exists in the parser that handles DWG (AutoCAD Drawing) files. Attackers can exploit the issue by delivering a crafted DWG file and convincing a user to open it or visit a malicious page. Successful exploitation results in arbitrary code execution in the context of the IrfanView process. The vulnerability is tracked as ZDI-CAN-26093 and was published through the Zero Day Initiative as advisory ZDI-25-497. It is classified under [CWE-119] for improper restriction of operations within memory buffer bounds.

Critical Impact

Attackers can execute arbitrary code on systems where a user opens a malicious DWG file with the IrfanView CADImage Plugin installed.

Affected Products

  • Cadsofttools CADImage Plugin for IrfanView (x64)
  • Cadsofttools CADImage Plugin for IrfanView (x86)
  • IrfanView (x64 and x86) with the CADImage Plugin installed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7244 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7244

Vulnerability Analysis

The CADImage Plugin extends IrfanView with support for CAD file formats, including DWG. The plugin fails to properly validate user-supplied data within DWG file structures during parsing. A crafted DWG file can trigger a memory corruption condition inside the plugin's parsing routines. Once memory is corrupted, an attacker can steer execution flow and run code in the context of the IrfanView process. Because IrfanView typically runs with the privileges of the logged-on user, attackers gain those privileges on the host. The Zero Day Initiative tracked this submission as ZDI-CAN-26093 and published advisory ZDI-25-497.

Root Cause

The root cause is improper validation of fields parsed from DWG files, falling under [CWE-119]. Untrusted length, offset, or index values from the file structure are used in memory operations without sufficient bounds checking. This results in out-of-bounds reads or writes that corrupt adjacent process memory.

Attack Vector

Exploitation requires user interaction. A target must open a malicious DWG file or visit a page that delivers the file through file-handler associations. The attack runs locally once the user opens the file. No authentication or elevated privileges are required by the attacker, and the payload executes inside the IrfanView process.

No public proof-of-concept code is referenced in the advisory. See the Zero Day Initiative Advisory ZDI-25-497 for additional technical context.

Detection Methods for CVE-2025-7244

Indicators of Compromise

  • DWG files arriving by email, chat, or web download from untrusted sources, especially files opened immediately after delivery.
  • Unexpected child processes spawned by i_view64.exe or i_view32.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
  • Crash events or Windows Error Reporting entries referencing the CADImage plugin DLL within the IrfanView Plugins directory.
  • Outbound network connections initiated by the IrfanView process shortly after opening a DWG file.

Detection Strategies

  • Hunt for process lineage where IrfanView is the parent of interactive shells or scripting engines.
  • Inspect file-write activity from IrfanView to autorun locations such as Startup, Run registry keys, or scheduled tasks.
  • Alert on module loads of the CADImage plugin followed by exception or access violation events in the same process.

Monitoring Recommendations

  • Enable command-line and module-load logging on endpoints that have IrfanView installed.
  • Forward Windows Error Reporting and application crash telemetry to a central log platform for review.
  • Track DWG file handling events on user workstations, particularly within download and email attachment directories.

How to Mitigate CVE-2025-7244

Immediate Actions Required

  • Update the CADImage Plugin to the latest version provided by Cadsofttools as referenced in ZDI-25-497.
  • Remove the CADImage Plugin from IrfanView installations that do not require DWG support.
  • Block inbound DWG files at email and web gateways for users who do not have a business need to receive them.
  • Instruct users not to open DWG files from untrusted sources until patching is confirmed.

Patch Information

No vendor advisory URL is listed in the NVD entry beyond the Zero Day Initiative coordination notice. Administrators should consult the Cadsofttools website for the current CADImage Plugin build and verify that the installed plugin version postdates the publication of ZDI-25-497. Reinstall IrfanView and the plugin from the official source after removing older versions.

Workarounds

  • Uninstall the CADImage Plugin until a fixed version is deployed.
  • Change the default file handler for .dwg files away from IrfanView on systems that do not require CAD viewing.
  • Restrict execution of IrfanView to a limited user account with no local administrative rights.
  • Use application control policies to prevent IrfanView from spawning shells or scripting interpreters.
bash
# Example: remove DWG file association from IrfanView on Windows
reg delete "HKCU\Software\Classes\.dwg" /f
assoc .dwg=

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.