CVE-2025-7250 Overview
CVE-2025-7250 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution. The flaw resides in the plugin's DWG file parsing logic, where user-supplied data is not properly validated before being used as a buffer index. Attackers can craft a malicious DWG file that, when opened by a user in IrfanView with the CADImage plugin installed, causes the parser to read past the end of an allocated buffer. Successful exploitation allows code execution in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26107 and tracked publicly as ZDI-25-486.
Critical Impact
A single malicious DWG file delivered via email, web download, or shared storage can lead to arbitrary code execution on workstations running vulnerable IrfanView CADImage Plugin versions.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
- IrfanView (x86 and x64) with the CADImage plugin installed
Discovery Timeline
- 2025-07-21 - CVE-2025-7250 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7250
Vulnerability Analysis
The vulnerability is classified as an out-of-bounds read [CWE-125] within the CADImage plugin's DWG file handler. DWG is the native binary format for AutoCAD drawings and contains complex nested structures, indexed object tables, and length-prefixed records. The plugin parses these structures to render previews inside IrfanView. When the parser processes a malformed record, it trusts attacker-controlled length or offset values without verifying them against the bounds of the allocated buffer. The parser then reads memory beyond the buffer boundary, which can disclose adjacent process memory or corrupt control data used later in execution. Because the read result feeds subsequent parsing logic, an attacker can shape memory layout and influence control flow, leading to arbitrary code execution in the IrfanView process. Exploitation requires user interaction: the victim must open the malicious DWG file or visit a page that triggers IrfanView to process it.
Root Cause
The root cause is missing validation of size and offset fields embedded in the DWG file structure. The CADImage plugin reads attacker-controlled values from the file and uses them directly to index into a heap-allocated buffer without checking whether the resulting access stays within bounds.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a crafted .dwg file through phishing, drive-by download, or removable media. When the user opens the file in IrfanView, the CADImage plugin parses it and triggers the out-of-bounds read. Code executes with the privileges of the logged-on user.
The vulnerability cannot be demonstrated with synthetic code without
proprietary DWG parsing internals. Refer to the Zero Day Initiative
advisory ZDI-25-486 for additional technical detail.
Detection Methods for CVE-2025-7250
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- DWG files arriving via email attachments, browser downloads, or network shares that are opened by users without a business need for CAD files.
- IrfanView process crashes or access violation events logged in the Windows Application event log referencing the CADImage plugin DLL.
Detection Strategies
- Hunt for process trees where IrfanView spawns scripting hosts, LOLBins, or network-capable binaries shortly after opening a .dwg file.
- Inspect file write and registry persistence events originating from the IrfanView process during DWG file handling.
- Apply YARA or content rules to flag DWG files containing malformed object table headers or anomalously large length fields.
Monitoring Recommendations
- Forward endpoint process, file, and module-load telemetry to a centralized analytics platform and alert on CADImage plugin loads followed by anomalous behavior.
- Monitor email and web proxy logs for inbound DWG attachments and downloads from untrusted sources.
- Track IrfanView versions and installed plugins across the fleet to identify hosts that remain vulnerable after patch deployment.
How to Mitigate CVE-2025-7250
Immediate Actions Required
- Update the CADImage plugin to the latest version released by CADSoftTools and update IrfanView to the current release.
- Restrict opening of DWG files to users with a documented business need and block DWG attachments at the email gateway where feasible.
- Educate users to avoid opening DWG files from untrusted sources, since exploitation requires user interaction.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-486 for vendor coordination details and the fixed plugin version. Apply the CADSoftTools CADImage plugin update on every host that has IrfanView with CAD support enabled.
Workarounds
- Uninstall or disable the CADImage plugin on systems that do not require DWG preview functionality.
- Associate .dwg files with a hardened CAD viewer rather than IrfanView until the plugin is patched.
- Run IrfanView under a standard user account and enforce application allowlisting to constrain post-exploitation activity.
# Remove the CADImage plugin DLL from a Windows host (run as admin)
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
# Verify the plugin is no longer loaded
tasklist /m CADImage.dll
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

