Skip to main content
CVE Vulnerability Database

CVE-2025-7274: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7274 is a remote code execution flaw in Cadsofttools Cadimage that allows attackers to execute arbitrary code via malicious DWG files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7274 Overview

CVE-2025-7274 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's parsing logic for DWG (AutoCAD Drawing) files and allows attackers to execute arbitrary code in the context of the current process. Exploitation requires user interaction, meaning the target must open a crafted DWG file or visit a malicious page that delivers one. The vulnerability is tracked under Zero Day Initiative advisory ZDI-25-525 (ZDI-CAN-26203) and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation grants arbitrary code execution on the victim system with the privileges of the user running IrfanView, enabling full compromise of user data and downstream lateral movement.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86 and x64) installations with the CADImage plugin enabled
  • Windows systems processing DWG files through the affected plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7274 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7274

Vulnerability Analysis

The vulnerability exists in the DWG file parser shipped within the CADImage plugin for IrfanView. DWG is a binary format used by AutoCAD and related CAD applications to store 2D and 3D drawing data. The parser fails to validate user-supplied data inside the DWG structure before using it in memory operations, producing a memory corruption condition. Attackers can craft a DWG file that triggers the bug during normal image preview or open operations.

Because IrfanView is widely deployed as a default image viewer and supports automatic plugin invocation based on file extension, a single user action — opening a downloaded or attached DWG file — is sufficient to trigger the flaw. The attack is local in scope but delivery channels include email attachments, web downloads, and shared network drives.

Root Cause

The root cause is improper restriction of operations within memory buffer bounds during DWG record processing. The parser trusts length or offset fields embedded in the DWG file without bounds checking against the actual allocated buffer. Malformed records cause writes or reads outside intended memory regions, corrupting adjacent heap or stack structures. Attackers can shape the corruption to overwrite control data such as function pointers or return addresses.

Attack Vector

The attack vector is local with required user interaction. An attacker delivers a malicious DWG file through phishing, drive-by download, or shared storage. When the victim opens the file in IrfanView, the CADImage plugin parses the document and the corruption fires. Code executes with the privileges of the IrfanView process, typically the logged-in user. No authentication or network position is required beyond persuading the user to open the file.

No verified public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-525 for additional technical context.

Detection Methods for CVE-2025-7274

Indicators of Compromise

  • DWG files arriving from untrusted email senders, web downloads, or removable media that are opened by i_view32.exe or i_view64.exe
  • Unexpected child processes spawned by IrfanView, including cmd.exe, powershell.exe, rundll32.exe, or unsigned binaries
  • Crash events or Windows Error Reporting entries referencing the CADImage plugin module during DWG processing
  • Outbound network connections initiated by the IrfanView process shortly after opening a CAD file

Detection Strategies

  • Monitor process creation events where the parent process is IrfanView and the child is an interpreter, shell, or LOLBin
  • Inspect file write events from IrfanView to user-writable persistence locations such as %APPDATA% and Startup folders
  • Apply YARA or content rules against DWG attachments at email and web gateways to flag malformed header structures
  • Track loading of the CADImage plugin DLL alongside abnormal memory allocation or exception patterns

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard and audit-mode logging for IrfanView to capture exploitation primitives
  • Forward endpoint process, image-load, and file-open telemetry to a centralized SIEM or data lake for correlation
  • Alert on first-seen DWG file extensions in environments that do not normally process CAD content
  • Review crash dumps from IrfanView weekly for signatures consistent with heap or stack corruption in the plugin module

How to Mitigate CVE-2025-7274

Immediate Actions Required

  • Inventory all endpoints with IrfanView and the CADImage plugin installed, prioritizing systems handling external file submissions
  • Update IrfanView and the CADImage plugin to the latest vendor-released versions that address ZDI-25-525
  • Block inbound DWG attachments at email gateways for user populations that do not require CAD file handling
  • Educate users to avoid opening DWG files from untrusted sources until patches are validated

Patch Information

CADSoftTools and IrfanView vendor advisories were not enumerated in the NVD record at publication. Consult the Zero Day Initiative Advisory ZDI-25-525 and the CADSoftTools and IrfanView download portals for the fixed plugin and application versions. Apply updates to both x86 and x64 builds because both CPE entries are affected.

Workarounds

  • Uninstall or disable the CADImage plugin on systems that do not require DWG support
  • Remove file associations between DWG and IrfanView using Windows Default Apps settings
  • Apply application allowlisting to prevent IrfanView from spawning shells, scripting hosts, or unsigned executables
  • Restrict IrfanView execution to least-privileged user accounts and disable plugin auto-load where feasible
bash
# Configuration example: remove CADImage plugin DLL on Windows endpoints
# Run as administrator in PowerShell

$plugin = "C:\Program Files\IrfanView\Plugins\CADImage.dll"
if (Test-Path $plugin) {
    Stop-Process -Name "i_view64","i_view32" -Force -ErrorAction SilentlyContinue
    Remove-Item $plugin -Force
    Write-Host "CADImage plugin removed. Reinstall the patched version from the vendor."
} else {
    Write-Host "CADImage plugin not present on this host."
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.