Skip to main content
CVE Vulnerability Database

CVE-2025-7251: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7251 is a remote code execution flaw in Cadsofttools Cadimage Plugin affecting DWG file parsing. Attackers can exploit this out-of-bounds read to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7251 Overview

CVE-2025-7251 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that leads to remote code execution. The flaw exists in the parsing of DWG files, where the plugin fails to properly validate user-supplied data before reading from an allocated buffer. Attackers can leverage this issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a crafted DWG file or visit a malicious page delivering one. The issue was reported through the Zero Day Initiative and tracked as ZDI-CAN-26108.

Critical Impact

A crafted DWG file processed by the IrfanView CADImage Plugin can trigger code execution in the context of the IrfanView process, resulting in full compromise of the user's session.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86 and x64 builds) with the CADImage Plugin installed
  • Systems processing untrusted DWG files through IrfanView

Discovery Timeline

  • 2025-07-21 - CVE-2025-7251 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7251

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] within the CADImage Plugin's DWG file parser. When the plugin processes a malformed DWG structure, it reads memory past the end of an allocated buffer. This out-of-bounds condition can be shaped by an attacker to disclose adjacent memory or corrupt program state, ultimately leading to arbitrary code execution in the context of IrfanView.

The attack surface is local because the victim must open the malicious file, but delivery over the network is trivial through phishing, drive-by download, or embedded links. Successful exploitation grants the attacker the same privileges as the user running IrfanView, with high impact to confidentiality, integrity, and availability.

Root Cause

The root cause is the lack of proper validation of user-supplied length or offset fields inside the DWG file format. The CADImage parser trusts values embedded in the file when calculating buffer read positions. Because bounds are not enforced against the allocated buffer size, a malformed record causes the parser to read outside the buffer, corrupting downstream logic that relies on the returned data.

Attack Vector

An attacker crafts a DWG file containing manipulated size, offset, or record-count fields that force the parser to dereference memory past the end of the allocated structure. The attacker delivers the file through email attachments, a malicious website, a shared drive, or any other channel that results in the target opening it in IrfanView. When IrfanView invokes the CADImage Plugin to render the file, the out-of-bounds read is triggered and can be chained into arbitrary code execution within the IrfanView process.

No public proof-of-concept is available at this time. Technical details are described in the Zero Day Initiative Advisory ZDI-25-483.

Detection Methods for CVE-2025-7251

Indicators of Compromise

  • Unexpected crashes or abnormal termination of i_view32.exe or i_view64.exe shortly after opening a DWG file.
  • Presence of CADImage.dll (or related CADImage Plugin binaries) alongside recently accessed DWG files from untrusted sources.
  • IrfanView processes spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe.
  • Outbound network connections initiated by the IrfanView process immediately after DWG file access.

Detection Strategies

  • Monitor process telemetry for IrfanView loading the CADImage Plugin and subsequently executing suspicious child processes.
  • Alert on DWG file writes originating from browser downloads, email clients, or messaging applications followed by execution in IrfanView.
  • Enable Windows Error Reporting and crash telemetry to identify repeated faults in the CADImage parsing routines.

Monitoring Recommendations

  • Log all DWG file opens by IrfanView on user endpoints and correlate with file origin metadata.
  • Track loading of CADImage plugin modules by IrfanView processes across the fleet to identify affected installations.
  • Collect memory dumps on IrfanView crashes for post-incident analysis of potential exploitation attempts.

How to Mitigate CVE-2025-7251

Immediate Actions Required

  • Inventory endpoints with IrfanView and identify systems where the CADImage Plugin is installed.
  • Restrict opening of DWG files from untrusted sources until a patched version is deployed.
  • Educate users about the risk of opening DWG attachments or files downloaded from unverified locations.
  • Apply application allow-listing to prevent IrfanView from spawning interpreter or shell processes.

Patch Information

At the time of publication, no vendor advisory URL is listed for CADSoftTools CADImage or IrfanView in the NVD entry. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-483 and vendor download pages for updated plugin releases and install the latest CADImage Plugin build for IrfanView as soon as it becomes available.

Workarounds

  • Uninstall or disable the CADImage Plugin in IrfanView until a fixed version is released.
  • Remove DWG file associations from IrfanView so that untrusted files cannot invoke the vulnerable parser automatically.
  • Open untrusted DWG files only inside an isolated sandbox or virtual machine without access to sensitive data.
  • Enforce least-privilege user accounts so that successful exploitation does not yield administrative rights on the host.
bash
# Example: remove the CADImage plugin DLL from an IrfanView installation on Windows
# Adjust the path to match your IrfanView Plugins directory
set IV_PLUGINS="C:\Program Files\IrfanView\Plugins"
if exist %IV_PLUGINS%\CADImage.dll (
    ren %IV_PLUGINS%\CADImage.dll CADImage.dll.disabled
)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.