CVE-2025-7248 Overview
CVE-2025-7248 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the parser that processes Drawing Exchange (DWG) files and stems from missing validation of user-supplied data. An attacker who convinces a user to open a crafted DWG file or visit a malicious page can trigger memory corruption and execute arbitrary code in the context of the IrfanView process. The Zero Day Initiative tracked the issue as ZDI-CAN-26098 before assigning advisory ZDI-25-501. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling malware installation, credential theft, or lateral movement from a single opened file.
Affected Products
- IrfanView (x86 and x64 builds with the CADImage Plugin installed)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7248 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-7248
Vulnerability Analysis
The vulnerability lives in the CADImage Plugin code path that parses DWG files, the native binary format used by AutoCAD and related tooling. CADImage extends IrfanView so users can preview CAD drawings alongside standard image formats. When the plugin reads structures from a DWG file, it does not properly validate fields supplied by the file before using them to drive memory operations. A crafted file can therefore drive the parser into a state where it reads or writes outside the bounds of allocated buffers.
Exploitation requires user interaction. The target must open a malicious DWG file or browse to a page that delivers one through the browser-to-viewer handoff. Because IrfanView is widely deployed for casual file preview, attackers can pair this flaw with phishing lures referencing engineering or architectural drawings.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] inside the CADImage DWG parser. Length, offset, or count fields read from the file are trusted without sufficient sanity checking, allowing attacker-controlled values to corrupt heap or stack memory during deserialization of CAD entities.
Attack Vector
The attack vector is local in that the file must reach the victim's machine, but delivery is trivial over email, chat, file shares, or drive-by download. After the user opens the file in IrfanView with the CADImage Plugin loaded, the malformed DWG structures redirect control flow and let the attacker execute code with the privileges of the current process. There is no authentication requirement and no special privilege requirement on the attacker side.
No verified public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-501 for additional technical context.
Detection Methods for CVE-2025-7248
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, especially command interpreters, scripting hosts, or rundll32.exe.
- IrfanView process crashes (WER entries, Application Error event ID 1000) referencing the CADImage plugin DLL after opening a DWG file.
- DWG files arriving through email or chat from untrusted senders, particularly when the file name does not match expected engineering workflows.
Detection Strategies
- Monitor for IrfanView processes loading the CADImage plugin DLL followed by anomalous memory allocations, thread creation, or outbound network connections.
- Hunt for file-write or persistence activity (Run keys, scheduled tasks, Startup folder additions) initiated by IrfanView shortly after a DWG file is opened.
- Correlate Microsoft-Windows-Windows Error Reporting events that name the CADImage module across multiple endpoints, which can indicate exploitation attempts in progress.
Monitoring Recommendations
- Enable command-line and module-load auditing on workstations where IrfanView is installed, and forward events to a central SIEM or data lake for correlation.
- Alert on DWG files originating from internet zones (Mark-of-the-Web) being opened by IrfanView outside of approved engineering workflows.
- Track outbound network connections initiated by i_view32.exe or i_view64.exe, which should be rare under normal use.
How to Mitigate CVE-2025-7248
Immediate Actions Required
- Inventory endpoints with IrfanView installed and identify which systems have the CADImage Plugin loaded.
- Block or quarantine inbound DWG attachments at the email gateway until the plugin is updated across the fleet.
- Instruct users not to open DWG files from untrusted sources and to validate sender identity for engineering drawings.
Patch Information
No fixed version is referenced in the NVD entry at the time of writing. Monitor the Zero Day Initiative Advisory ZDI-25-501 and the CADSoftTools and IrfanView vendor pages for an updated CADImage Plugin release that addresses the DWG parser flaw. Apply the update on all x86 and x64 installations once available.
Workarounds
- Uninstall or disable the CADImage Plugin until a patched version is released, removing the vulnerable DWG parsing code path from IrfanView.
- Remove file association for .dwg extensions from IrfanView so users cannot launch the vulnerable parser by double-clicking.
- Restrict execution of IrfanView through application control policies (Windows Defender Application Control, AppLocker) on endpoints that do not require CAD preview functionality.
- Open untrusted DWG files only inside an isolated sandbox or virtual machine that lacks access to sensitive data and credentials.
# Example: remove the .dwg file association mapped to IrfanView on Windows
reg delete "HKCU\Software\Classes\.dwg" /f
reg delete "HKCU\Software\Classes\IrfanView.DWG" /f
# Optional: block IrfanView from launching via AppLocker PowerShell cmdlet
New-AppLockerPolicy -RuleType Path -User Everyone -Action Deny `
-Path "%PROGRAMFILES%\IrfanView\i_view64.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

