Skip to main content
CVE Vulnerability Database

CVE-2025-7252: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7252 is a remote code execution flaw in Cadsofttools Cadimage affecting DWG file parsing that allows attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2025-7252 Overview

CVE-2025-7252 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution. The flaw resides in the plugin's DWG file parser, which fails to properly validate user-supplied data before reading from an allocated buffer. Attackers can trigger the vulnerability by convincing a user to open a crafted DWG file or visit a malicious page that delivers one. Successful exploitation leads to code execution in the context of the IrfanView process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26109 and tracked publicly as ZDI-25-484. The vulnerability is classified under [CWE-125] Out-of-Bounds Read.

Critical Impact

A crafted DWG file processed by the CADImage Plugin allows attackers to execute arbitrary code with the privileges of the IrfanView user.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x64)
  • CADSoftTools CADImage plugin for IrfanView (x86)
  • IrfanView (x64 and x86) with the CADImage plugin installed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7252 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7252

Vulnerability Analysis

The vulnerability exists in the CADImage Plugin extension that adds CAD format support to IrfanView. When the plugin parses a Drawing Exchange (DWG) file, it reads structured records that describe geometry, layers, and embedded objects. The parser trusts size and offset values supplied inside the DWG container without validating them against the bounds of the underlying allocated buffer. A malformed record causes the parser to read past the end of that buffer.

An out-of-bounds read in a complex file format parser does more than disclose memory. Adjacent heap data can contain pointers, vtables, and object metadata that the plugin later uses for control-flow decisions. By shaping the heap with auxiliary structures inside the DWG file, an attacker can influence which values are read and how subsequent processing dereferences them, ultimately steering execution into attacker-controlled data.

Exploitation requires the victim to open the crafted file in IrfanView. The attack vector is local but commonly delivered through email attachments, drive-by downloads, or shared file repositories. Code runs with the privileges of the logged-on user, which on most workstations includes access to user documents, credentials cached in the browser, and the ability to drop persistence payloads.

Root Cause

The root cause is missing bounds validation on length or offset fields extracted from the DWG input. The parser advances a read pointer based on attacker-controlled sizes without confirming that the resulting read remains inside the allocated buffer.

Attack Vector

An attacker crafts a DWG file containing malformed structural fields and delivers it to the target through any channel that results in the file being opened by IrfanView with the CADImage Plugin enabled. User interaction is required, but no authentication is needed.

No public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-484 for additional technical context.

Detection Methods for CVE-2025-7252

Indicators of Compromise

  • IrfanView (i_view64.exe or i_view32.exe) spawning command interpreters such as cmd.exe, powershell.exe, or wscript.exe shortly after opening a DWG file.
  • Crash dumps or Windows Error Reporting events referencing the CADImage plugin module (CADImage.dll) with access violation codes consistent with reads outside allocated memory.
  • Unexpected network connections initiated by the IrfanView process following the open of a CAD file.

Detection Strategies

  • Hunt for IrfanView processes loading CADImage.dll and subsequently creating child processes that are not part of the documented application workflow.
  • Inspect email gateway and web proxy logs for inbound DWG attachments and downloads, particularly from unverified senders or recently registered domains.
  • Correlate file open events on .dwg files with module load and process creation telemetry from the same user session.

Monitoring Recommendations

  • Enable command-line and module-load auditing on endpoints that have IrfanView and the CADImage plugin installed.
  • Forward Sysmon process, image-load, and file-create events to a centralized log platform for retroactive hunting.
  • Track exceptions and crashes generated by i_view64.exe and i_view32.exe, treating repeated faults in CAD parsing modules as suspicious.

How to Mitigate CVE-2025-7252

Immediate Actions Required

  • Update the CADImage Plugin and IrfanView to the latest versions released by CADSoftTools and IrfanView following the ZDI advisory.
  • Restrict opening of DWG files to trusted sources and block inbound DWG attachments at the email gateway where business workflows allow.
  • Apply application allow-listing or attack-surface-reduction rules that prevent IrfanView from spawning script interpreters or shells.

Patch Information

Review the Zero Day Initiative Advisory ZDI-25-484 for vendor coordination status and install the latest CADImage Plugin and IrfanView builds from the official vendor download pages. No vendor advisory URL is listed in the NVD record at the time of writing.

Workarounds

  • Uninstall or disable the CADImage Plugin on endpoints that do not require CAD file viewing in IrfanView.
  • Remove file association between .dwg files and IrfanView so that double-clicking a DWG file does not invoke the vulnerable parser.
  • Run IrfanView under a standard user account and avoid opening untrusted CAD files until patches are confirmed deployed.
bash
# Remove .dwg file association with IrfanView on Windows
assoc .dwg=
ftype IrfanView.DWG=

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.