CVE-2025-7265 Overview
CVE-2025-7265 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the parser that processes Computer Graphics Metafile (CGM) files. An attacker can craft a malicious CGM file that, when opened by a user in IrfanView, causes the plugin to read past the end of an allocated buffer. Successful exploitation allows arbitrary code execution in the context of the current user. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26173 and published as advisory ZDI-25-513.
Critical Impact
Attackers can execute arbitrary code on affected systems by tricking a user into opening a crafted CGM file with IrfanView.
Affected Products
- IrfanView (x86 and x64 builds with the CADImage plugin installed)
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7265 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7265
Vulnerability Analysis
The vulnerability exists in the CADImage plugin that extends IrfanView to render CAD-related image formats, including CGM. When the plugin parses structured records inside a CGM file, it relies on size and offset fields supplied by the file itself. The parser does not adequately validate these values against the bounds of the allocated buffer. A specifically crafted CGM file forces the plugin to read memory beyond the allocated region during parsing. Attackers can use the resulting memory disclosure and corrupted parsing state to redirect control flow and execute code as the user running IrfanView.
Exploitation requires user interaction. The target must open the malicious CGM file or visit a page that triggers the file handler. Because IrfanView typically runs as a desktop user, successful exploitation yields code execution at that user's privilege level.
Root Cause
The root cause is insufficient validation of user-supplied data inside the CGM record parser. Length and index fields embedded in the file are trusted without comparison to the size of the destination buffer. This leads to an out-of-bounds read [CWE-125] during deserialization of CGM structures.
Attack Vector
The attack vector is local file handling with required user interaction. An attacker delivers the malicious CGM file via email, a web download, a network share, or removable media. When the user opens the file in IrfanView with the CADImage plugin loaded, the parser processes the malformed records and triggers the condition. No authentication is required, and the attacker does not need prior access to the system.
No verified public exploit code is available. See the Zero Day Initiative Advisory ZDI-25-513 for additional technical context.
Detection Methods for CVE-2025-7265
Indicators of Compromise
- CGM files (.cgm extension) received from untrusted sources, especially via email attachments or web downloads
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as command shells or scripting hosts
- Crashes of IrfanView when opening CGM files, recorded in the Windows Application event log under Windows Error Reporting
Detection Strategies
- Monitor process creation events where IrfanView is the parent and the child is cmd.exe, powershell.exe, rundll32.exe, or other living-off-the-land binaries
- Inspect file write activity by IrfanView outside its normal working directories, which can indicate post-exploitation payload staging
- Hunt for CGM files in user download and temporary directories and correlate with subsequent IrfanView execution
Monitoring Recommendations
- Enable command-line auditing and Sysmon process and image-load events on workstations with IrfanView installed
- Alert on loads of CADImage.dll (or the CADImage plugin DLL) followed by abnormal memory access faults in IrfanView
- Forward endpoint telemetry to a centralized analytics platform to correlate CGM file delivery with subsequent process anomalies
How to Mitigate CVE-2025-7265
Immediate Actions Required
- Update the IrfanView CADImage plugin to the latest version published by CADSoftTools as referenced in ZDI-25-513
- Remove the CADImage plugin from IrfanView installations where CGM support is not required
- Block inbound CGM file attachments at the email gateway and web proxy until patching is complete
- Instruct users not to open CGM files received from unknown or untrusted senders
Patch Information
At the time of NVD publication, no vendor advisory URL is recorded in the CVE record. Refer to the Zero Day Initiative Advisory ZDI-25-513 and the CADSoftTools and IrfanView download pages for the latest CADImage plugin build that addresses the out-of-bounds read.
Workarounds
- Uninstall or disable the CADImage plugin by removing its DLL from the IrfanView Plugins directory if CGM rendering is not needed
- Associate .cgm files with a non-vulnerable viewer or a sandboxed application until the patched plugin is deployed
- Apply application allowlisting to restrict execution of unexpected child processes from IrfanView
# Disable the CADImage plugin on Windows by moving the DLL out of the IrfanView Plugins folder
move "C:\Program Files\IrfanView\Plugins\CADImage.dll" "C:\Program Files\IrfanView\Plugins\disabled\CADImage.dll.bak"
# Block CGM files at a Windows file server using File Server Resource Manager (example)
New-FsrmFileGroup -Name "BlockedCAD" -IncludePattern @("*.cgm")
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

