CVE-2025-7275 Overview
CVE-2025-7275 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that can lead to remote code execution. The flaw resides in the plugin's parsing of Computer Graphics Metafile (CGM) files. Insufficient validation of user-supplied data allows a crafted CGM file to trigger a read past the end of an allocated buffer. Attackers can leverage this condition to execute code in the context of the current process.
Exploitation requires user interaction. The target must open a malicious CGM file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26204 and is tracked under [CWE-125] (Out-of-Bounds Read).
Critical Impact
A specially crafted CGM file processed by IrfanView with the CADImage plugin can result in arbitrary code execution in the context of the logged-on user.
Affected Products
- CadSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) when the CADImage plugin is installed
- Windows installations using the CADImage plugin for CGM file rendering
Discovery Timeline
- 2025-07-21 - CVE-2025-7275 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7275
Vulnerability Analysis
The vulnerability exists in the CGM file parser within the CadSoftTools CADImage Plugin used by IrfanView. CGM is a vector graphics format containing structured records that describe geometric primitives, attributes, and metadata. The parser reads length and offset fields directly from the file and uses them to access internal buffers without verifying the values against the actual buffer bounds.
When the plugin processes a malformed CGM record, it reads memory beyond the allocated buffer. The resulting out-of-bounds read can disclose adjacent process memory or, when combined with attacker-controlled state, redirect execution flow. Because IrfanView runs as the interactive user, successful exploitation yields code execution at that user's privilege level.
Root Cause
The root cause is missing bounds validation on length and index values parsed from CGM records before they are used in buffer read operations. The plugin trusts file-supplied sizing fields, which violates safe input-handling practices for binary file parsers ([CWE-125]).
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious CGM file through email, a web download, a network share, or a drive-by page that invokes IrfanView as the registered handler. When the user opens the file in IrfanView with the CADImage plugin loaded, the parser reaches the vulnerable code path. No authentication or elevated privileges are required on the target system.
No verified public proof-of-concept is currently available. Technical details are summarized in the Zero Day Initiative Advisory ZDI-25-522.
Detection Methods for CVE-2025-7275
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe process crashes with access violation exceptions when opening .cgm files
- CGM files arriving via email attachments or downloads from untrusted sources, particularly with anomalous structural fields
- IrfanView spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe shortly after opening a file
- Outbound network connections initiated by the IrfanView process following the rendering of a CGM file
Detection Strategies
- Monitor process creation events where IrfanView is the parent of a shell, scripting, or LOLBin process
- Inspect Windows Error Reporting and crash dumps tied to the CADImage plugin module for repeated faults on CGM parsing
- Apply file-content inspection at email and web gateways to flag CGM files with malformed record lengths or oversized indices
Monitoring Recommendations
- Enable command-line and module-load auditing on endpoints that have IrfanView and the CADImage plugin installed
- Alert on .cgm file writes followed by IrfanView execution within a short interval, especially from Downloads or temp paths
- Track plugin DLL load events for the CADImage component to baseline normal activity and surface anomalies
How to Mitigate CVE-2025-7275
Immediate Actions Required
- Inventory all systems running IrfanView with the CADImage plugin and prioritize patching them
- Block or quarantine inbound .cgm attachments at email gateways until patched versions are deployed
- Remove the CADImage plugin from systems that do not require CGM or CAD file rendering
- Restrict file association so CGM files do not open automatically in IrfanView for standard users
Patch Information
At the time of publication, refer to the vendor's product page and the Zero Day Initiative Advisory ZDI-25-522 for the latest fixed version of the CADImage plugin and IrfanView. Update both the CADImage plugin and IrfanView to the most recent releases provided by CadSoftTools and IrfanView, respectively, and verify the plugin version after installation.
Workarounds
- Uninstall the CADImage plugin from IrfanView until a patched version is installed
- Disassociate the .cgm extension from IrfanView and require manual opening of files from trusted sources only
- Run IrfanView under a standard, non-administrative user account to limit the impact of successful exploitation
- Apply application allow-listing or attack surface reduction rules that prevent IrfanView from spawning shell or scripting processes
# Configuration example: remove .cgm file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.cgm" /f
reg delete "HKCU\Software\Classes\IrfanView.cgm" /f
# Verify installed IrfanView version
powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\IrfanView' | Select-Object DisplayVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

