CVE-2025-7261 Overview
CVE-2025-7261 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage plugin developed by CadSoftTools. The flaw resides in the parser that handles AutoCAD Drawing (DWG) files. Insufficient validation of user-supplied data allows the parser to read past the end of an allocated buffer. Attackers can leverage this condition to execute arbitrary code in the context of the current user. Exploitation requires user interaction: a victim must open a crafted DWG file or visit a malicious page that delivers one. The Zero Day Initiative tracked the issue internally as ZDI-CAN-26130 and published advisory ZDI-25-509.
Critical Impact
Successful exploitation grants arbitrary code execution as the current user, enabling malware deployment, credential theft, and lateral movement from a single opened DWG file.
Affected Products
- IrfanView (x86 and x64 builds bundling the CADImage plugin)
- CadSoftTools CADImage plugin for IrfanView (x86)
- CadSoftTools CADImage plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7261 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7261
Vulnerability Analysis
The CADImage plugin extends IrfanView with the ability to render AutoCAD formats, including DWG. When parsing a DWG file, the plugin reads structured records whose sizes and offsets are taken from fields embedded in the file itself. The plugin does not properly validate these user-controlled values against the bounds of the allocated buffer. A crafted file can therefore cause the parser to read memory beyond the end of the allocation. The leaked data flows into subsequent processing logic, where attacker-controlled values are interpreted as object pointers, sizes, or control data. This turns the out-of-bounds read primitive into a path to arbitrary code execution within the IrfanView process. The vector is local because the attacker must convince the user to open the file, but no privileges are required on the target host.
Root Cause
The root cause is missing boundary validation in the DWG parsing routine. Length and offset fields read from the file are used directly in pointer arithmetic without checks against the size of the underlying buffer. This is a classic instance of [CWE-125] Out-of-Bounds Read.
Attack Vector
An attacker delivers a malicious DWG file through email attachments, drive-by download pages, shared network drives, or design-asset marketplaces. When the user opens the file in IrfanView with the CADImage plugin installed, the parser processes the corrupted structures and triggers the vulnerability. Code executes with the privileges of the user running IrfanView.
No proof-of-concept code is publicly available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-509.
Detection Methods for CVE-2025-7261
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView crash events referencing the CADImage plugin module in Windows Event Log or Windows Error Reporting.
- DWG files arriving via email or web download to users who do not normally handle CAD content.
- Outbound network connections initiated by the IrfanView process shortly after opening a DWG file.
Detection Strategies
- Hunt for process trees where IrfanView spawns scripting or LOLBin processes, which is uncharacteristic of an image viewer.
- Inspect DWG files at the email and web gateway for malformed headers or anomalous record sizes.
- Alert on memory access violations within IrfanView modules associated with CAD parsing.
Monitoring Recommendations
- Log file-open telemetry for *.dwg extensions handled by IrfanView and correlate with subsequent process and network activity.
- Monitor for new modules loaded by IrfanView outside the installation directory.
- Track endpoints with the CADImage plugin installed and prioritize them for elevated scrutiny until patched.
How to Mitigate CVE-2025-7261
Immediate Actions Required
- Inventory endpoints running IrfanView with the CADImage plugin and identify those used to open externally sourced DWG files.
- Block or quarantine DWG attachments at the email gateway pending remediation.
- Restrict opening of DWG files to dedicated, hardened workstations until a fix is deployed.
Patch Information
No fixed version is listed in the NVD entry at the time of publication. Consult the Zero Day Initiative Advisory ZDI-25-509 and the IrfanView and CadSoftTools vendor sites for updated CADImage plugin builds. Apply the latest plugin release as soon as it becomes available.
Workarounds
- Uninstall or disable the CADImage plugin from IrfanView installations that do not require CAD support.
- Remove DWG from IrfanView's registered file associations so the format does not open automatically.
- Use a dedicated CAD application from a trusted vendor to inspect untrusted DWG files instead of IrfanView.
- Enforce application allow-listing to prevent IrfanView from spawning shell, scripting, or LOLBin processes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

