CVE-2025-7253 Overview
CVE-2025-7253 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw exists in the parsing logic for DWG (AutoCAD Drawing) files and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can leverage this issue to execute arbitrary code in the context of the current process running IrfanView. Exploitation requires user interaction, where the target must open a malicious DWG file or visit a malicious page that delivers one. The vulnerability was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-26112 and published as advisory ZDI-25-493.
Critical Impact
Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling system compromise from a single malicious DWG file.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) with the CADImage plugin installed
- Windows systems where users open untrusted DWG files
Discovery Timeline
- 2025-07-21 - CVE-2025-7253 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7253
Vulnerability Analysis
The vulnerability resides in the DWG file parser implemented by the CADImage plugin for IrfanView. DWG is a proprietary binary format used by AutoCAD and supported by third-party CAD viewers. The parser fails to validate user-supplied data within crafted DWG structures, producing a memory corruption condition during file processing. Attackers can shape the corrupted memory state to redirect execution flow inside the IrfanView process. Because the attack vector is local and requires user interaction, social engineering typically delivers the payload through email attachments, drive-by downloads, or shared file repositories.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] during DWG parsing. The plugin trusts size or offset fields embedded in the DWG file without bounds checking. Crafted values cause reads or writes outside allocated buffers, corrupting adjacent heap or stack memory used by IrfanView.
Attack Vector
An attacker crafts a malicious DWG file containing manipulated header or section data that triggers the parsing flaw. The victim opens the file in IrfanView with the CADImage plugin loaded, or browses to a page that delivers the file through a download prompt. Parsing the document corrupts process memory and transfers control to attacker-supplied code. The resulting code executes with the privileges of the logged-on user, supporting follow-on actions such as credential theft, persistence, or lateral movement. Refer to the Zero Day Initiative Advisory ZDI-25-493 for additional technical detail.
Detection Methods for CVE-2025-7253
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe immediately after a DWG file is opened
- IrfanView process crashes or access violation events logged in the Windows Application event log referencing the CADImage plugin module
- DWG files arriving through email, messaging, or web downloads from unverified sources
- Outbound network connections initiated by IrfanView shortly after image or CAD file viewing
Detection Strategies
- Monitor process creation telemetry for IrfanView spawning command interpreters such as cmd.exe, powershell.exe, or rundll32.exe
- Alert on writes to autorun registry keys or Startup folders by the IrfanView process
- Inspect file-write events where IrfanView drops executable content (.exe, .dll, .scr) to user-writable directories
Monitoring Recommendations
- Enable command-line and module-load auditing on endpoints where IrfanView is installed
- Track loaded modules of i_view32.exe and i_view64.exe for the presence of the CADImage plugin DLL
- Forward endpoint telemetry to a centralized analytics platform and apply behavioral rules that flag image viewers performing process injection or shell execution
How to Mitigate CVE-2025-7253
Immediate Actions Required
- Inventory endpoints running IrfanView with the CADImage plugin and prioritize remediation on workstations that handle CAD files
- Block delivery of DWG attachments from external senders at the email gateway until a patched plugin version is deployed
- Instruct users to refuse opening DWG files from untrusted sources and to verify provenance through a secondary channel
- Restrict execution of IrfanView under standard user accounts rather than privileged accounts to limit blast radius
Patch Information
At the time of NVD publication, no vendor patch URL was listed in the advisory. Monitor the Zero Day Initiative Advisory ZDI-25-493 and the CADSoftTools and IrfanView vendor sites for an updated CADImage plugin release that addresses the DWG parsing flaw. Apply the updated plugin to all affected hosts once available.
Workarounds
- Uninstall or disable the CADImage plugin until a fixed version is published if DWG viewing is not business-critical
- Associate .dwg file extensions with a hardened CAD viewer and remove IrfanView from the handler list for that extension
- Run IrfanView inside an application sandbox or restricted user context that blocks process creation and network egress
- Enforce Attack Surface Reduction rules that prevent Office and image viewer processes from launching child executables
# Remove .dwg file association for IrfanView on Windows (run as admin)
reg delete "HKLM\SOFTWARE\Classes\.dwg" /f
reg delete "HKCU\SOFTWARE\Classes\.dwg" /f
# Block IrfanView from spawning shells via Windows Defender ASR
Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

