CVE-2025-7258 Overview
CVE-2025-7258 is an out-of-bounds write vulnerability [CWE-787] in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the DWG file parsing routine and stems from missing validation of user-supplied data. An attacker who convinces a user to open a crafted DWG file, or visit a page that delivers one, can write past the end of an allocated buffer and execute arbitrary code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26127 and disclosed publicly as ZDI-25-507.
Critical Impact
Arbitrary code execution in the context of the user running IrfanView, achieved by opening a malicious DWG file.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) installations with the CADImage Plugin loaded
- Any workflow that renders DWG files through the CADImage Plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7258 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7258
Vulnerability Analysis
The vulnerability exists in the DWG file parser shipped with the CADImage Plugin for IrfanView. DWG is the native binary format used by AutoCAD and related CAD tooling. The parser reads structured records from the file and copies data into fixed-size buffers during object reconstruction.
Because the parser trusts length and offset fields sourced from the file, a crafted DWG can steer a memory write beyond the bounds of an allocated buffer. The overwrite corrupts adjacent heap or stack structures, giving an attacker control over subsequent execution. Successful exploitation yields code execution with the privileges of the IrfanView process. User interaction is required, and the attack executes locally when the target opens the file.
Root Cause
The root cause is improper validation of user-supplied data during DWG parsing, classified as an out-of-bounds write [CWE-787]. Length or index values embedded in the DWG file are used to compute a write destination without bounds checking against the target buffer. When those values exceed the allocation, the write clobbers memory outside the intended region.
Attack Vector
Exploitation requires that a user open a malicious DWG file with IrfanView while the CADImage Plugin is installed. Delivery paths include email attachments, drive-by download pages, shared network drives, and archives extracted by the victim. The attacker does not need any prior privileges on the system, but the target must complete the file-open action for the parser to run.
No public proof-of-concept exploit is listed at the time of writing, and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Refer to the Zero Day Initiative advisory ZDI-25-507 for additional parser context.
Detection Methods for CVE-2025-7258
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command shells, script hosts, or rundll32.exe
- Crashes or Windows Error Reporting entries referencing the CADImage Plugin DLL when processing .dwg files
- Inbound .dwg files arriving through email gateways, chat platforms, or web downloads to users who do not routinely handle CAD assets
Detection Strategies
- Alert on IrfanView loading the CADImage Plugin followed by memory allocation anomalies or access violations during DWG parsing
- Monitor for suspicious process trees where IrfanView spawns interpreters, shells, or living-off-the-land binaries
- Correlate file-open telemetry for .dwg extensions with subsequent network egress or persistence events
Monitoring Recommendations
- Enable process creation logging (Windows Event ID 4688 or Sysmon Event ID 1) with command-line capture on workstations that run IrfanView
- Track image loads of the CADImage Plugin DLL through Sysmon Event ID 7 to inventory affected hosts
- Feed endpoint, email gateway, and proxy telemetry into a central data lake to hunt for .dwg delivery patterns tied to user click-through
How to Mitigate CVE-2025-7258
Immediate Actions Required
- Inventory all systems running IrfanView with the CADImage Plugin installed and confirm plugin version
- Restrict opening of .dwg files sourced from untrusted email, web, or removable media until a fixed plugin build is deployed
- Brief users who handle CAD files on the risks of opening unsolicited DWG attachments
Patch Information
At publication, no vendor patch URL is referenced in the NVD entry. Administrators should monitor CADSoftTools and IrfanView update channels for a corrected CADImage Plugin release and consult the Zero Day Initiative advisory ZDI-25-507 for the latest remediation status.
Workarounds
- Uninstall or disable the CADImage Plugin on hosts that do not require DWG rendering in IrfanView
- Remove the .dwg file association from IrfanView so the parser is not invoked by double-click
- Block or quarantine .dwg attachments at the email gateway for user groups without a business need to receive CAD files
- Enforce application allowlisting to prevent execution of unexpected child processes spawned from IrfanView
# Example: remove CADImage Plugin files on Windows (run as Administrator)
# Adjust the path to match the IrfanView installation directory
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"
del "C:\Program Files (x86)\IrfanView\Plugins\CADIMAGE.DLL"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

