Skip to main content
CVE Vulnerability Database

CVE-2025-7250: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7250 is a remote code execution flaw in Cadsofttools Cadimage DWG parser that allows attackers to execute arbitrary code via malicious files. This article covers technical details, affected systems, and mitigations.

Published:

CVE-2025-7250 Overview

CVE-2025-7250 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution. The flaw resides in the plugin's DWG file parsing logic, where user-supplied data is not properly validated before being used as a buffer index. Attackers can craft a malicious DWG file that, when opened by a user in IrfanView with the CADImage plugin installed, causes the parser to read past the end of an allocated buffer. Successful exploitation allows code execution in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26107 and tracked publicly as ZDI-25-486.

Critical Impact

A single malicious DWG file delivered via email, web download, or shared storage can lead to arbitrary code execution on workstations running vulnerable IrfanView CADImage Plugin versions.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86)
  • CADSoftTools CADImage plugin for IrfanView (x64)
  • IrfanView (x86 and x64) with the CADImage plugin installed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7250 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7250

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] within the CADImage plugin's DWG file handler. DWG is the native binary format for AutoCAD drawings and contains complex nested structures, indexed object tables, and length-prefixed records. The plugin parses these structures to render previews inside IrfanView. When the parser processes a malformed record, it trusts attacker-controlled length or offset values without verifying them against the bounds of the allocated buffer. The parser then reads memory beyond the buffer boundary, which can disclose adjacent process memory or corrupt control data used later in execution. Because the read result feeds subsequent parsing logic, an attacker can shape memory layout and influence control flow, leading to arbitrary code execution in the IrfanView process. Exploitation requires user interaction: the victim must open the malicious DWG file or visit a page that triggers IrfanView to process it.

Root Cause

The root cause is missing validation of size and offset fields embedded in the DWG file structure. The CADImage plugin reads attacker-controlled values from the file and uses them directly to index into a heap-allocated buffer without checking whether the resulting access stays within bounds.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a crafted .dwg file through phishing, drive-by download, or removable media. When the user opens the file in IrfanView, the CADImage plugin parses it and triggers the out-of-bounds read. Code executes with the privileges of the logged-on user.

The vulnerability cannot be demonstrated with synthetic code without
proprietary DWG parsing internals. Refer to the Zero Day Initiative
advisory ZDI-25-486 for additional technical detail.

Detection Methods for CVE-2025-7250

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
  • DWG files arriving via email attachments, browser downloads, or network shares that are opened by users without a business need for CAD files.
  • IrfanView process crashes or access violation events logged in the Windows Application event log referencing the CADImage plugin DLL.

Detection Strategies

  • Hunt for process trees where IrfanView spawns scripting hosts, LOLBins, or network-capable binaries shortly after opening a .dwg file.
  • Inspect file write and registry persistence events originating from the IrfanView process during DWG file handling.
  • Apply YARA or content rules to flag DWG files containing malformed object table headers or anomalously large length fields.

Monitoring Recommendations

  • Forward endpoint process, file, and module-load telemetry to a centralized analytics platform and alert on CADImage plugin loads followed by anomalous behavior.
  • Monitor email and web proxy logs for inbound DWG attachments and downloads from untrusted sources.
  • Track IrfanView versions and installed plugins across the fleet to identify hosts that remain vulnerable after patch deployment.

How to Mitigate CVE-2025-7250

Immediate Actions Required

  • Update the CADImage plugin to the latest version released by CADSoftTools and update IrfanView to the current release.
  • Restrict opening of DWG files to users with a documented business need and block DWG attachments at the email gateway where feasible.
  • Educate users to avoid opening DWG files from untrusted sources, since exploitation requires user interaction.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-486 for vendor coordination details and the fixed plugin version. Apply the CADSoftTools CADImage plugin update on every host that has IrfanView with CAD support enabled.

Workarounds

  • Uninstall or disable the CADImage plugin on systems that do not require DWG preview functionality.
  • Associate .dwg files with a hardened CAD viewer rather than IrfanView until the plugin is patched.
  • Run IrfanView under a standard user account and enforce application allowlisting to constrain post-exploitation activity.
bash
# Remove the CADImage plugin DLL from a Windows host (run as admin)
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"

# Verify the plugin is no longer loaded
tasklist /m CADImage.dll

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.