Skip to main content
CVE Vulnerability Database

CVE-2025-7275: Cadsofttools Cadimage Plugin RCE Flaw

CVE-2025-7275 is a remote code execution vulnerability in IrfanView CADImage Plugin affecting CGM file parsing. Attackers can exploit an out-of-bounds read to execute code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7275 Overview

CVE-2025-7275 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that can lead to remote code execution. The flaw resides in the plugin's parsing of Computer Graphics Metafile (CGM) files. Insufficient validation of user-supplied data allows a crafted CGM file to trigger a read past the end of an allocated buffer. Attackers can leverage this condition to execute code in the context of the current process.

Exploitation requires user interaction. The target must open a malicious CGM file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26204 and is tracked under [CWE-125] (Out-of-Bounds Read).

Critical Impact

A specially crafted CGM file processed by IrfanView with the CADImage plugin can result in arbitrary code execution in the context of the logged-on user.

Affected Products

  • CadSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86 and x64 builds) when the CADImage plugin is installed
  • Windows installations using the CADImage plugin for CGM file rendering

Discovery Timeline

  • 2025-07-21 - CVE-2025-7275 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7275

Vulnerability Analysis

The vulnerability exists in the CGM file parser within the CadSoftTools CADImage Plugin used by IrfanView. CGM is a vector graphics format containing structured records that describe geometric primitives, attributes, and metadata. The parser reads length and offset fields directly from the file and uses them to access internal buffers without verifying the values against the actual buffer bounds.

When the plugin processes a malformed CGM record, it reads memory beyond the allocated buffer. The resulting out-of-bounds read can disclose adjacent process memory or, when combined with attacker-controlled state, redirect execution flow. Because IrfanView runs as the interactive user, successful exploitation yields code execution at that user's privilege level.

Root Cause

The root cause is missing bounds validation on length and index values parsed from CGM records before they are used in buffer read operations. The plugin trusts file-supplied sizing fields, which violates safe input-handling practices for binary file parsers ([CWE-125]).

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a malicious CGM file through email, a web download, a network share, or a drive-by page that invokes IrfanView as the registered handler. When the user opens the file in IrfanView with the CADImage plugin loaded, the parser reaches the vulnerable code path. No authentication or elevated privileges are required on the target system.

No verified public proof-of-concept is currently available. Technical details are summarized in the Zero Day Initiative Advisory ZDI-25-522.

Detection Methods for CVE-2025-7275

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe process crashes with access violation exceptions when opening .cgm files
  • CGM files arriving via email attachments or downloads from untrusted sources, particularly with anomalous structural fields
  • IrfanView spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe shortly after opening a file
  • Outbound network connections initiated by the IrfanView process following the rendering of a CGM file

Detection Strategies

  • Monitor process creation events where IrfanView is the parent of a shell, scripting, or LOLBin process
  • Inspect Windows Error Reporting and crash dumps tied to the CADImage plugin module for repeated faults on CGM parsing
  • Apply file-content inspection at email and web gateways to flag CGM files with malformed record lengths or oversized indices

Monitoring Recommendations

  • Enable command-line and module-load auditing on endpoints that have IrfanView and the CADImage plugin installed
  • Alert on .cgm file writes followed by IrfanView execution within a short interval, especially from Downloads or temp paths
  • Track plugin DLL load events for the CADImage component to baseline normal activity and surface anomalies

How to Mitigate CVE-2025-7275

Immediate Actions Required

  • Inventory all systems running IrfanView with the CADImage plugin and prioritize patching them
  • Block or quarantine inbound .cgm attachments at email gateways until patched versions are deployed
  • Remove the CADImage plugin from systems that do not require CGM or CAD file rendering
  • Restrict file association so CGM files do not open automatically in IrfanView for standard users

Patch Information

At the time of publication, refer to the vendor's product page and the Zero Day Initiative Advisory ZDI-25-522 for the latest fixed version of the CADImage plugin and IrfanView. Update both the CADImage plugin and IrfanView to the most recent releases provided by CadSoftTools and IrfanView, respectively, and verify the plugin version after installation.

Workarounds

  • Uninstall the CADImage plugin from IrfanView until a patched version is installed
  • Disassociate the .cgm extension from IrfanView and require manual opening of files from trusted sources only
  • Run IrfanView under a standard, non-administrative user account to limit the impact of successful exploitation
  • Apply application allow-listing or attack surface reduction rules that prevent IrfanView from spawning shell or scripting processes
bash
# Configuration example: remove .cgm file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.cgm" /f
reg delete "HKCU\Software\Classes\IrfanView.cgm" /f

# Verify installed IrfanView version
powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\IrfanView' | Select-Object DisplayVersion"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.