CVE-2025-7246 Overview
CVE-2025-7246 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the plugin's DWG file parsing logic and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can craft malicious DWG files that trigger memory corruption when opened in IrfanView, leading to arbitrary code execution in the context of the current user process. Exploitation requires user interaction, such as opening a crafted file or visiting a page hosting one. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26095 and assigned advisory ZDI-25-498.
Critical Impact
Attackers can execute arbitrary code in the context of the IrfanView process by convincing a user to open a malicious DWG file, resulting in full compromise of the user's data and session on the affected host.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations bundling the vulnerable CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7246 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7246
Vulnerability Analysis
The vulnerability affects the CADImage plugin, which extends IrfanView with support for CAD file formats including DWG. When IrfanView loads a DWG file, the plugin parses embedded structures without adequately validating field values and buffer boundaries. Crafted values in the DWG stream cause the plugin to read or write outside allocated buffers, corrupting adjacent memory.
The issue is categorized under [CWE-119], improper restriction of operations within the bounds of a memory buffer. Because DWG is a complex binary format with nested records, offsets, and length-prefixed sections, any parser that trusts attacker-controlled sizing values is susceptible to boundary violations.
Root Cause
The root cause is the lack of proper validation of user-supplied data during DWG parsing. The plugin uses length or offset fields taken directly from the file to drive memory operations. When those fields are manipulated, subsequent copy or indexing operations exceed the intended buffer, producing a memory corruption condition attackers can shape into a control-flow hijack.
Attack Vector
Exploitation requires a user to open a crafted DWG file in IrfanView with the CADImage plugin installed. Delivery channels include email attachments, drive-by downloads, shared network drives, or web pages that instruct the user to open a file. Because the attack executes locally after user interaction, successful exploitation yields code execution with the privileges of the IrfanView process, typically the logged-in user.
No public proof-of-concept exploit or in-the-wild exploitation has been documented, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Zero Day Initiative Advisory ZDI-25-498 for additional technical context.
Detection Methods for CVE-2025-7246
Indicators of Compromise
- Unexpected crashes of i_view32.exe or i_view64.exe when handling DWG files, particularly those originating from untrusted sources.
- Creation of child processes by IrfanView (for example, cmd.exe, powershell.exe, or rundll32.exe) shortly after a DWG file is opened.
- DWG files delivered via email, chat, or download that trigger anti-malware alerts on the CADImage parsing path.
Detection Strategies
- Monitor process telemetry for IrfanView spawning interpreters or performing outbound network connections after opening a document.
- Alert on writes to user-writable persistence locations (Run keys, Startup folders, Scheduled Tasks) initiated by the IrfanView process tree.
- Inspect file gateways for DWG attachments and correlate downloads with subsequent IrfanView execution events.
Monitoring Recommendations
- Track installations of the CADImage plugin across the fleet and flag hosts running IrfanView versions distributed before the patched CADImage release.
- Enable crash reporting and correlate Windows Error Reporting (WER) entries for IrfanView with recent DWG file activity.
- Retain endpoint telemetry for file opens, module loads (CADImage.dll), and child process creation for at least 30 days to support retrospective hunts.
How to Mitigate CVE-2025-7246
Immediate Actions Required
- Update the CADImage plugin and IrfanView to the latest versions distributed by CADSoftTools and IrfanView after the ZDI-25-498 disclosure.
- Restrict opening of DWG files from untrusted sources and validate origin before end users interact with them.
- Inventory endpoints with IrfanView and the CADImage plugin installed to scope remediation efforts.
Patch Information
CADSoftTools distributes updated CADImage plugin builds through its official download channels, and IrfanView bundles the plugin with its plugin pack. Administrators should replace vulnerable CADImage plugin binaries with the fixed version referenced by the Zero Day Initiative Advisory ZDI-25-498. Verify installations by checking the plugin version in IrfanView under Help > Installed Plugins.
Workarounds
- Uninstall or remove the CADImage plugin (CADImage.dll) from the IrfanView plugin directory if DWG support is not required.
- Block DWG file types at email gateways and web proxies where CAD workflows do not require them.
- Enforce application control policies that prevent IrfanView from spawning script interpreters or command shells.
# Remove the vulnerable CADImage plugin on Windows endpoints
reg query "HKLM\SOFTWARE\IrfanView" /s
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

