CVE-2025-7255 Overview
CVE-2025-7255 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the parser that handles AutoCAD Drawing (DWG) files. An attacker who convinces a user to open a crafted DWG file, or to visit a page that delivers one, can corrupt process memory and execute arbitrary code in the context of the current user. The issue is tracked by the Zero Day Initiative as ZDI-CAN-26118 and classified under [CWE-119]: improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Successful exploitation gives an attacker arbitrary code execution as the IrfanView user, with full confidentiality, integrity, and availability impact on the host.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations with the CADImage plugin enabled
Discovery Timeline
- 2025-07-21 - CVE-2025-7255 published to NVD
- 2026-06-17 - Last updated in NVD database
- Reference - Zero Day Initiative advisory ZDI-25-500 (ZDI-CAN-26118)
Technical Details for CVE-2025-7255
Vulnerability Analysis
The CADImage plugin extends IrfanView with the ability to render CAD formats, including AutoCAD DWG. The vulnerability is reachable through the standard file-open flow: when IrfanView loads a DWG file, the CADImage plugin parses the binary structure to build an in-memory representation for rendering. Insufficient validation of attacker-controlled fields during parsing leads to a memory corruption condition.
Exploitation requires user interaction. The victim must open a malicious DWG file or browse to content that triggers the plugin to process one. Because the attack runs inside the IrfanView process, the attacker inherits the privileges of the logged-in user. On typical workstations this is enough to drop payloads, persist, and pivot to other systems.
Root Cause
The root cause is improper validation of user-supplied data inside the DWG parser shipped with the CADImage plugin, mapped to [CWE-119]. Size fields, offsets, or record counts read from the file are trusted without bounds checking. When the parser uses these values to allocate buffers, copy data, or index structures, it writes outside the intended memory region. Attackers shape this corruption to overwrite control data such as function pointers or virtual table entries and redirect execution.
Attack Vector
The attack vector is local file processing with user interaction required. A typical delivery chain involves emailing the DWG file, hosting it on a shared drive, or embedding it on a web page that invites the user to open it. No authentication or elevated privileges are needed on the target. Technical details are available in the ZDI-25-500 advisory; no public proof-of-concept code has been released.
Detection Methods for CVE-2025-7255
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- Inbound DWG files arriving via email, chat, or download from untrusted sources, especially when paired with social engineering.
- IrfanView crashes or Windows Error Reporting events tied to the CADImage plugin module during DWG file opens.
- Outbound network connections from the IrfanView process immediately after a DWG file is opened.
Detection Strategies
- Hunt for process lineage where IrfanView is the parent of interpreters, script hosts, or LOLBins.
- Inspect file write activity by IrfanView outside of expected image and configuration paths.
- Alert on module loads of the CADImage plugin DLL followed by anomalous memory allocations or thread creation in the IrfanView process.
- Correlate user-opened DWG files with subsequent endpoint behavioral alerts to identify weaponized documents.
Monitoring Recommendations
- Enable command-line and module-load logging on endpoints that have IrfanView installed and forward the events to a central analytics platform.
- Track installations of the CADImage plugin across the fleet so detection scope matches actual exposure.
- Monitor email and web gateways for DWG attachments and downloads from external senders.
How to Mitigate CVE-2025-7255
Immediate Actions Required
- Inventory endpoints with IrfanView and the CADImage plugin installed, prioritizing engineering, architecture, and manufacturing users who routinely handle CAD files.
- Update the CADImage plugin to the latest version provided by CADSoftTools as soon as a fixed build is available.
- Block delivery of DWG files from external sources at the email and web proxy layer until patched.
- Instruct users to open DWG files only from trusted, verified senders.
Patch Information
At the time of publication, no vendor patch URL is referenced in the NVD entry. Refer to the ZDI-25-500 advisory and the CADSoftTools download page for the current CADImage plugin release. Apply the fixed version to every IrfanView installation that loads the plugin and confirm the new plugin DLL version on each host.
Workarounds
- Remove or disable the CADImage plugin from IrfanView installations that do not need CAD rendering.
- Restrict file associations so DWG files do not open in IrfanView by default.
- Run IrfanView from a standard user account, never an administrator, to limit the blast radius of code execution.
- Use application control to prevent IrfanView from spawning command interpreters or script hosts.
# Windows: remove the CADImage plugin DLL from an IrfanView install
# Adjust the path to match the deployed IrfanView directory
set IV_DIR="C:\Program Files\IrfanView\Plugins"
if exist %IV_DIR%\CADImage.dll (
ren %IV_DIR%\CADImage.dll CADImage.dll.disabled
)
# Break the .dwg file association so DWGs do not auto-open in IrfanView
assoc .dwg=
ftype IrfanView.DWG=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

