CVE-2025-7270 Overview
CVE-2025-7270 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the plugin's parsing of .DWG (AutoCAD drawing) files and enables arbitrary code execution in the context of the IrfanView process. Exploitation requires user interaction: the target must open a crafted DWG file or visit a malicious page that delivers one. The Zero Day Initiative tracks the issue as ZDI-CAN-26189 and published advisory ZDI-25-518. The weakness is classified under [CWE-119] (improper restriction of operations within the bounds of a memory buffer).
Critical Impact
A single malicious DWG file opened in IrfanView with the CADImage Plugin grants the attacker code execution with the privileges of the local user.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) when the CADImage Plugin is installed
- Windows systems processing untrusted .DWG files through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7270 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7270
Vulnerability Analysis
The vulnerability resides in the DWG file parser implemented by the CADImage Plugin. DWG is a proprietary binary CAD format containing a header, class section, object data, and section locator records. When the plugin parses attacker-controlled fields inside a DWG file, it fails to validate user-supplied input against the destination buffer size. The resulting memory corruption allows an attacker to overwrite adjacent memory structures and redirect program execution. Because the plugin loads inside the IrfanView process, successful exploitation yields code execution in that process with the rights of the user who opened the file.
Root Cause
The root cause is insufficient validation of length or offset values read from the DWG file before they are used in memory operations. The parser trusts attacker-controlled fields and performs buffer operations without enforcing bounds, satisfying the conditions for [CWE-119].
Attack Vector
The attack vector is local file processing with required user interaction. An attacker delivers a crafted DWG file through email, web download, shared storage, or a malicious web page. When the victim opens the file in IrfanView with the CADImage Plugin enabled, the parser triggers the memory corruption and the embedded payload runs in the user context. No authentication is required and no network access to the victim is needed beyond delivery of the file.
No public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-518 for vendor-coordinated technical details.
Detection Methods for CVE-2025-7270
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, especially cmd.exe, powershell.exe, or rundll32.exe.
- DWG files arriving via email, browser downloads, or removable media from untrusted senders.
- Crash dumps or Windows Error Reporting events referencing the CADImage Plugin DLL during DWG file open operations.
Detection Strategies
- Hunt for IrfanView processes loading the CADImage Plugin and subsequently performing network connections or file writes outside the user's documents path.
- Inspect endpoint telemetry for access violations or heap corruption exceptions originating in CADImage module addresses.
- Apply YARA rules that flag DWG files with malformed section locator records or oversized class section lengths.
Monitoring Recommendations
- Forward Sysmon Event ID 1 (process creation) and Event ID 7 (image load) for i_view32.exe and i_view64.exe to a central log platform.
- Alert on Windows Error Reporting (Event ID 1000) entries that name the CADImage Plugin binary as the faulting module.
- Track file write activity that creates executables or scripts in %APPDATA% or %TEMP% immediately after IrfanView opens a DWG file.
How to Mitigate CVE-2025-7270
Immediate Actions Required
- Update the CADImage Plugin to the latest version released by CADSoftTools and confirm IrfanView is running a current build.
- Disable or uninstall the CADImage Plugin on workstations that do not require DWG support.
- Block inbound DWG files at the email gateway and web proxy for users who do not work with CAD content.
- Instruct users to refuse DWG files from untrusted sources until patching is complete.
Patch Information
CADSoftTools coordinated remediation through the Zero Day Initiative. Administrators should obtain the corrected CADImage Plugin from the vendor and verify the installed version against the fixed release referenced in the Zero Day Initiative Advisory ZDI-25-518. No CISA KEV listing exists for this CVE and the current EPSS probability is 0.22%.
Workarounds
- Remove the CADImage Plugin DLL from the IrfanView Plugins directory if DWG support is not needed.
- Associate .DWG files with a non-vulnerable viewer until the patched plugin is deployed.
- Run IrfanView under a standard (non-administrator) user account to limit the blast radius of any successful exploitation.
- Enforce attack surface reduction rules that block child process creation from image viewer applications.
# Example: remove the CADImage Plugin from a managed IrfanView install
set PLUGIN_DIR="C:\Program Files\IrfanView\Plugins"
del /f /q "%PLUGIN_DIR%\CADIMAGE.DLL"
# Block DWG handling by IrfanView via file association reset
assoc .dwg=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

