Skip to main content
CVE Vulnerability Database

CVE-2025-7264: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7264 is a remote code execution vulnerability in Cadsofttools Cadimage affecting CGM file parsing that enables attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7264 Overview

CVE-2025-7264 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin. The flaw resides in the parsing logic for Computer Graphics Metafile (CGM) files. Attackers can exploit this issue to execute arbitrary code in the context of the process running IrfanView. Exploitation requires user interaction: the target must open a malicious CGM file or visit a page that delivers one. The Zero Day Initiative tracked this issue internally as ZDI-CAN-26171 and published it as advisory ZDI-25-512.

Critical Impact

Successful exploitation grants arbitrary code execution in the context of the current user, with full impact to confidentiality, integrity, and availability.

Affected Products

  • CadSoftTools CADImage Plugin for IrfanView (x86)
  • CadSoftTools CADImage Plugin for IrfanView (x64)
  • IrfanView (x86 and x64) installations bundling the CADImage Plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7264 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7264

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] inside the CADImage plugin distributed with IrfanView. The plugin parses CGM image files supplied by the user. During parsing, the plugin fails to properly validate fields embedded in the CGM structure before using them to compute buffer offsets. As a result, the parser reads past the end of an allocated buffer. The disclosed scoring indicates local attack vector with required user interaction, and high impact across confidentiality, integrity, and availability.

Attackers can leverage the out-of-bounds read to disclose adjacent memory and influence subsequent control-flow operations. Combined with the plugin's handling of attacker-controlled data structures, this leads to arbitrary code execution within the IrfanView process. Because IrfanView runs with the privileges of the invoking user, exploitation hands the attacker those same privileges on the host.

Root Cause

The root cause is missing bounds validation on user-supplied length or offset fields within CGM records. The parser trusts attacker-controlled values when accessing internal buffers. No sanity check ensures that the requested read remains within the bounds of the allocated allocation.

Attack Vector

Exploitation requires the victim to open a crafted CGM file in IrfanView with the CADImage plugin installed. Delivery vectors include phishing emails with attachments, drive-by downloads, and file-sharing services. Once the file is opened, parsing occurs automatically and triggers the flaw without further user action.

The vulnerability is described in prose only; no proof-of-concept code has been released publicly. See the Zero Day Initiative Advisory ZDI-25-512 for vendor coordination details.

Detection Methods for CVE-2025-7264

Indicators of Compromise

  • Unexpected CGM (.cgm) files arriving via email attachments, shared drives, or browser downloads to user workstations.
  • IrfanView (i_view32.exe or i_view64.exe) process crashes or abnormal child process creation immediately after opening an image file.
  • New or unexpected processes spawned by IrfanView, such as cmd.exe, powershell.exe, or scripting hosts.
  • Outbound network connections originating from i_view32.exe or i_view64.exe shortly after a CGM file is opened.

Detection Strategies

  • Monitor process lineage for IrfanView spawning shells, script interpreters, or LOLBins, which is atypical for an image viewer.
  • Inspect endpoint telemetry for memory access violations and crash events tied to the CADImage plugin DLL.
  • Apply YARA or content-inspection rules to flag CGM files with malformed record lengths or anomalous opcodes at the email and web proxy layers.

Monitoring Recommendations

  • Centralize IrfanView crash dumps and Windows Error Reporting events for correlation with file-open activity.
  • Alert on file-write activity by IrfanView outside of expected output directories.
  • Track installation prevalence of the CADImage plugin across managed endpoints to scope exposure.

How to Mitigate CVE-2025-7264

Immediate Actions Required

  • Inventory endpoints with IrfanView installed and identify which have the CADImage Plugin enabled.
  • Remove or disable the CADImage Plugin on systems that do not require CGM or CAD format support.
  • Block inbound CGM file attachments at email gateways until a patched plugin version is deployed.
  • Restrict file associations so that CGM files do not open automatically in IrfanView.

Patch Information

At the time of NVD publication, no fixed version is referenced in the CVE record. Administrators should consult the Zero Day Initiative Advisory ZDI-25-512 and the CadSoftTools and IrfanView vendor pages for current patch availability and apply updates as soon as they are released.

Workarounds

  • Uninstall the CADImage Plugin from IrfanView installations that do not require CGM parsing.
  • Train users to avoid opening CGM files from untrusted sources, including unsolicited email attachments.
  • Run IrfanView under a standard (non-administrative) user account to limit the impact of successful exploitation.
  • Enforce application allowlisting to prevent IrfanView from launching unexpected child processes.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.