Skip to main content
CVE Vulnerability Database

CVE-2025-7262: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7262 is a remote code execution flaw in Cadsofttools Cadimage affecting DWG file parsing. Attackers can exploit this out-of-bounds read to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7262 Overview

CVE-2025-7262 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin that can lead to arbitrary code execution. The flaw resides in the plugin's parser for DWG (AutoCAD drawing) files and stems from insufficient validation of user-supplied data. An attacker who convinces a user to open a crafted DWG file, or visit a page that delivers one, can read past the end of an allocated buffer and execute code in the context of the IrfanView process. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26132 and tracked publicly as ZDI-25-510.

Critical Impact

Successful exploitation grants code execution under the current user, enabling malware deployment, credential theft, or lateral movement from a single malicious DWG file.

Affected Products

  • IrfanView (x86 and x64 builds)
  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7262 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7262

Vulnerability Analysis

The CADImage Plugin extends IrfanView with the ability to render CAD formats, including DWG. When the plugin parses a DWG file, it reads structured records that describe entities, headers, and object tables. The parser trusts length and offset fields embedded in the file without bounding them against the size of the allocated buffer that holds the parsed data.

A crafted DWG file can therefore cause the parser to read memory beyond the end of an allocated buffer. This out-of-bounds read can disclose adjacent heap data and, combined with controlled allocation layout, can be chained to corrupt program state and redirect execution. Exploitation requires user interaction: the victim must open the file in IrfanView or load it from a page that triggers the associated handler.

Root Cause

The root cause is missing validation of size and offset fields parsed from attacker-controlled DWG structures. The CADImage parser dereferences these values when copying or interpreting record contents, but it does not verify that the read range remains inside the bounds of the buffer holding the file data. This pattern is classified as [CWE-125] Out-of-Bounds Read.

Attack Vector

Exploitation is local in the CVSS sense because the file must reach the user, but delivery is straightforward over standard internet channels. Typical scenarios include email attachments, drive-by downloads, shared network drives, and chat clients that auto-render previews. Once the user opens the file with IrfanView, the CADImage Plugin parses it and triggers the out-of-bounds read. No authentication is required and no privileges beyond those of the current user are needed.

No verified public proof-of-concept code is available. See the Zero Day Initiative Advisory ZDI-25-510 for additional technical context.

Detection Methods for CVE-2025-7262

Indicators of Compromise

  • Unexpected child processes (for example, cmd.exe, powershell.exe, rundll32.exe) spawned by i_view32.exe or i_view64.exe shortly after opening a .dwg file.
  • Crashes or access violations in i_view32.exe/i_view64.exe referencing the CADImage plugin DLL during DWG file rendering.
  • Inbound .dwg attachments from untrusted senders followed by outbound connections from the IrfanView process.

Detection Strategies

  • Hunt for process-lineage chains where IrfanView spawns interpreters or scripting hosts, which is anomalous for a viewer application.
  • Inspect Windows Error Reporting and crash dumps for faulting modules tied to the CADImage plugin during DWG parsing.
  • Flag DWG files arriving through email, web download, or removable media on hosts where IrfanView and the CADImage Plugin are installed.

Monitoring Recommendations

  • Forward endpoint process, file, and module-load telemetry to a central analytics platform and alert on IrfanView loading the CADImage DLL followed by suspicious child processes.
  • Monitor for new executables, scheduled tasks, or registry Run keys created in the user profile within minutes of IrfanView opening a CAD file.
  • Track outbound network connections originating from i_view32.exe and i_view64.exe, which should rarely communicate externally.

How to Mitigate CVE-2025-7262

Immediate Actions Required

  • Inventory endpoints running IrfanView with the CADImage Plugin installed and prioritize them for patching.
  • Block or quarantine inbound .dwg attachments at the email gateway until affected hosts are updated.
  • Instruct users to avoid opening CAD files from untrusted sources and to verify file origin before opening.

Patch Information

At the time of NVD publication, no vendor advisory URL was listed for CADSoftTools or IrfanView. Administrators should monitor the IrfanView website and the CADSoftTools CADImage page for an updated plugin release that addresses CVE-2025-7262, and refer to ZDI-25-510 for disclosure status.

Workarounds

  • Uninstall or disable the CADImage Plugin on hosts that do not require DWG viewing in IrfanView until a fix is released.
  • Remove .dwg and related CAD extensions from IrfanView's file association list to prevent automatic invocation.
  • Restrict IrfanView execution to standard user accounts and apply application control policies that block child-process creation from the viewer.
bash
# Remove the CADImage plugin DLL from a standard IrfanView install path
# (run from an elevated PowerShell prompt; adjust paths as needed)
Remove-Item "C:\Program Files\IrfanView\Plugins\CADImage.dll" -Force
Remove-Item "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll" -Force

# Remove .dwg file association for IrfanView for the current user
reg delete "HKCU\Software\Classes\.dwg" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.