CVE-2025-7249 Overview
CVE-2025-7249 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the parsing logic for DWG (AutoCAD Drawing) files. Attackers can trigger memory corruption by supplying a crafted DWG file to a vulnerable installation. Successful exploitation results in arbitrary code execution within the context of the IrfanView process. User interaction is required because the victim must open a malicious file or visit a malicious page that delivers one. The Zero Day Initiative tracks this issue as ZDI-CAN-26100 and published advisory ZDI-25-492. The vulnerability is classified under CWE-119 for improper restriction of operations within memory buffer bounds.
Critical Impact
Opening a malicious DWG file in IrfanView with the CADImage plugin installed grants remote attackers arbitrary code execution under the user's privileges.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) with the CADImage plugin installed
- Workstations processing DWG files through IrfanView's CAD support
Discovery Timeline
- 2025-07-21 - CVE-2025-7249 published to the National Vulnerability Database
- 2026-06-17 - CVE record last updated in the NVD
Technical Details for CVE-2025-7249
Vulnerability Analysis
The vulnerability exists in the CADImage plugin's DWG file parser, an extension that adds CAD format support to IrfanView. The parser fails to validate user-supplied data inside DWG structures before using it to access memory. When the plugin processes a crafted DWG file, fields controlled by the attacker cause the code to read or write outside intended buffer boundaries. This memory corruption condition is reachable through the file open flow, which is invoked when a user double-clicks a DWG, drags one into IrfanView, or follows a link that triggers the file handler.
The execution occurs in the context of the current user process. Attackers gain the same privileges as the IrfanView instance, which on most desktops runs as the interactive user.
Root Cause
The root cause is the lack of proper validation of size, offset, or count fields parsed from the DWG container. DWG is a complex binary format with nested object tables, section locators, and length-prefixed records. When a length value is trusted without bounds checking, subsequent copy or indexing operations corrupt adjacent memory. This pattern is consistent with the [CWE-119] classification assigned to the issue.
Attack Vector
The attack requires user interaction. A typical scenario involves an attacker delivering a malicious .dwg file by email, file share, or web download. When the victim opens the file in IrfanView with the CADImage plugin loaded, the parser processes the crafted structures and triggers memory corruption. The attacker then redirects execution to controlled code, achieving arbitrary code execution. No verified public proof-of-concept exists at the time of writing. Technical specifics are described in the Zero Day Initiative Advisory ZDI-25-492.
Detection Methods for CVE-2025-7249
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, including shells, scripting hosts, or rundll32.exe
- DWG files originating from email attachments, browser downloads, or removable media that are opened immediately after delivery
- Crash events or Windows Error Reporting entries naming the CADImage plugin DLL inside the IrfanView Plugins directory
- Outbound network connections initiated by IrfanView shortly after a DWG file is opened
Detection Strategies
- Monitor process creation events where the parent is IrfanView and the child is cmd.exe, powershell.exe, wscript.exe, or cscript.exe
- Inspect file write activity by IrfanView outside its installation and configuration directories
- Hunt for image loads of the CADImage plugin followed by anomalous memory allocations with execute permissions
- Correlate DWG file open events with subsequent privilege-sensitive operations such as credential access or persistence
Monitoring Recommendations
- Enable command-line and module-load auditing on endpoints where IrfanView is installed
- Forward endpoint telemetry to a centralized analytics platform for cross-host correlation of DWG-related activity
- Track installation inventory to identify hosts running IrfanView with the CADImage plugin enabled
- Alert on IrfanView crashes that reference CADImage modules, which can indicate exploitation attempts
How to Mitigate CVE-2025-7249
Immediate Actions Required
- Inventory all systems running IrfanView and verify which have the CADImage plugin installed
- Apply the latest CADImage plugin and IrfanView updates from CADSoftTools and the IrfanView vendor once available
- Block inbound .dwg attachments at the mail gateway for users who do not require CAD file handling
- Restrict opening of DWG files received from untrusted sources until the plugin is patched
Patch Information
No vendor patch URL is listed in the public CVE record at the time of writing. Refer to the Zero Day Initiative Advisory ZDI-25-492 for the latest vendor coordination status and download the most recent CADImage plugin build directly from CADSoftTools.
Workarounds
- Uninstall the CADImage plugin from IrfanView on hosts that do not need DWG support
- Remove file association for .dwg extensions from IrfanView so the format does not open automatically
- Run IrfanView under a standard user account with no administrative rights to limit post-exploitation impact
- Use application control policies to block execution of IrfanView when it loads the vulnerable CADImage DLL version
# Remove DWG file association for IrfanView (run as administrator)
assoc .dwg=
ftype IrfanView.DWG=
# Optional: remove the CADImage plugin DLL from the IrfanView Plugins directory
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

