CVE-2025-7263 Overview
CVE-2025-7263 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin. The flaw resides in the parser that processes Computer Graphics Metafile (CGM) files. Attackers can trigger the issue by enticing a user to open a crafted CGM file or visit a malicious page hosting one. Successful exploitation allows arbitrary code execution in the context of the current process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26170 and disclosed in advisory ZDI-25-511.
Critical Impact
An attacker who convinces a user to open a malicious CGM file can execute arbitrary code with the privileges of the IrfanView process, leading to local compromise of the host.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations using the CADImage Plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7263 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7263
Vulnerability Analysis
The CADImage Plugin extends IrfanView with support for CAD and vector graphics formats, including CGM. CVE-2025-7263 stems from missing validation of user-supplied data while parsing CGM file structures. During parsing, the plugin reads beyond the bounds of an allocated buffer. This out-of-bounds read can disclose adjacent process memory and, when combined with predictable memory layouts, can be leveraged to influence control flow and execute arbitrary code in the IrfanView process.
Exploitation requires user interaction. The target user must open a malicious CGM file or browse to content that triggers the plugin to parse attacker-controlled data. Because IrfanView is widely used as a default image viewer on Windows endpoints, file association handlers can be abused to invoke the vulnerable parser with minimal user awareness.
Root Cause
The root cause is inadequate boundary checking inside the CGM parsing routines of the CADImage Plugin. Length and offset fields embedded in the CGM stream are trusted without verifying they remain within the bounds of the allocated buffer, producing a classic [CWE-125] out-of-bounds read.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious .cgm file through email, web download, removable media, or a drive-by page. When the user opens the file in IrfanView with the CADImage Plugin installed, the vulnerable parser is invoked and the out-of-bounds read occurs, enabling code execution within the user's session.
No verified public proof-of-concept code is available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-511.
Detection Methods for CVE-2025-7263
Indicators of Compromise
- Unexpected crashes or access violations in i_view32.exe or i_view64.exe when handling CGM files
- Presence of unsolicited .cgm files in user download, temp, or email attachment directories
- Child processes (for example cmd.exe, powershell.exe, or rundll32.exe) spawned by IrfanView shortly after a file is opened
- Outbound network connections initiated by the IrfanView process following CGM file access
Detection Strategies
- Hunt for process lineage where IrfanView spawns interpreters, scripting hosts, or LOLBins
- Inspect Windows Error Reporting and crash dumps referencing the CADImage Plugin DLL for repeated faults
- Apply file-type inspection at the email gateway and web proxy to flag inbound .cgm attachments and downloads
- Use EDR telemetry to correlate file-open events on .cgm files with subsequent suspicious child-process or memory-allocation activity
Monitoring Recommendations
- Enable command-line and module-load auditing on endpoints running IrfanView to capture loads of the CADImage Plugin DLL
- Forward image-load, process-create, and file-create events to a centralized SIEM for correlation
- Alert on anomalous IrfanView behavior such as outbound connections, persistence creation, or credential access activity
How to Mitigate CVE-2025-7263
Immediate Actions Required
- Inventory all endpoints running IrfanView and identify which installations have the CADImage Plugin loaded
- Remove or disable the CADImage Plugin on hosts that do not require CGM or CAD file viewing
- Block inbound .cgm attachments at the email gateway and warn users not to open untrusted CAD files
- Restrict execution of IrfanView to users with a business need and enforce least-privilege user accounts
Patch Information
At the time of NVD publication, no vendor patch URL is listed in the advisory. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-511 and the CADSoftTools and IrfanView vendor sites for updated plugin releases addressing CVE-2025-7263, and apply the fixed version as soon as it is available.
Workarounds
- Uninstall the CADImage Plugin until a fixed version is released
- Remove the .cgm file association from IrfanView so the vulnerable parser is not invoked by default
- Run IrfanView inside an application sandbox or with Windows Defender Application Control policies that restrict child-process creation and network access
- Apply attack surface reduction rules that block Office and browser applications from launching IrfanView with attacker-supplied files
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

