Skip to main content
CVE Vulnerability Database

CVE-2025-7277: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7277 is a remote code execution vulnerability in Cadsofttools Cadimage affecting DWG file parsing. Attackers can exploit memory corruption to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7277 Overview

CVE-2025-7277 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists within the parser that handles DWG (AutoCAD Drawing) files. The plugin fails to properly validate user-supplied data, leading to a memory corruption condition that attackers can leverage for arbitrary code execution.

Exploitation requires user interaction. A target must open a crafted DWG file or visit a malicious page that serves one. Successful exploitation executes code in the context of the current process running IrfanView. The issue is tracked as ZDI-CAN-26209 and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Attackers can execute arbitrary code on workstations that open a malicious DWG file with IrfanView, compromising user data and providing a foothold on the host.

Affected Products

  • IrfanView (x64 and x86 builds bundled with the CADImage plugin)
  • CADSoftTools CADImage Plugin for IrfanView (x64)
  • CADSoftTools CADImage Plugin for IrfanView (x86)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7277 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7277

Vulnerability Analysis

The vulnerability lives inside the CADImage plugin, a third-party add-on that allows IrfanView to render CAD formats such as DWG. When the plugin parses a DWG file, it consumes structured records that describe drawing entities, layers, and metadata. The parser does not adequately validate fields read from the file before using them to drive memory operations.

An attacker-controlled value influences a memory operation, producing a corruption primitive within the IrfanView process address space. With careful shaping of the input file, the primitive can be steered to overwrite critical structures and ultimately redirect control flow. Code then runs with the privileges of the user that launched IrfanView.

Because IrfanView is typically run interactively on user workstations, exploitation aligns with phishing and drive-by file delivery techniques. Document handlers and email clients that automatically render or pre-process attachments expand the practical attack surface.

Root Cause

The root cause is missing or insufficient bounds validation on attacker-controlled fields parsed from DWG records, consistent with [CWE-119]. The parser trusts size or offset values from the file when calculating memory writes, allowing crafted inputs to reach an out-of-bounds or otherwise invalid memory operation.

Attack Vector

The attack vector is local file processing with required user interaction. An attacker delivers a malicious DWG file through email, a shared drive, or a web page link. When the victim opens the file with IrfanView, the CADImage plugin processes it and triggers the corruption. The full ZDI write-up is available in the Zero Day Initiative Advisory ZDI-25-524.

No verified public proof-of-concept code is available. The vulnerability is described in prose only and no synthetic exploit code is provided.

Detection Methods for CVE-2025-7277

Indicators of Compromise

  • Unexpected i_view64.exe or i_view32.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe following the open of a .dwg file.
  • IrfanView process crashes (Windows Error Reporting events) referencing the CADImage plugin DLL while parsing a DWG file.
  • DWG files arriving from untrusted email senders or download locations that diverge from normal CAD workflows in the organization.
  • Outbound network connections initiated by i_view64.exe or i_view32.exe shortly after image or CAD file access.

Detection Strategies

  • Hunt for IrfanView spawning interactive shells or scripting interpreters, which is anomalous for an image viewer.
  • Alert on DLL loads of the CADImage plugin followed by access-violation exceptions in IrfanView within the same process lifetime.
  • Correlate file creation events for .dwg files in user download and mail attachment directories with subsequent IrfanView execution.

Monitoring Recommendations

  • Enable command-line and process-tree logging on endpoints where IrfanView is installed.
  • Forward Windows Error Reporting and application crash telemetry to a central SIEM for trend analysis.
  • Track endpoint inventory for installed copies of the CADImage plugin and the corresponding IrfanView build numbers.

How to Mitigate CVE-2025-7277

Immediate Actions Required

  • Update IrfanView and the CADImage plugin to the latest versions published by the respective vendors.
  • Restrict opening of DWG files from untrusted sources and block such attachments at the email gateway where feasible.
  • Remove the CADImage plugin from systems that do not have a business need to render CAD content in IrfanView.
  • Apply standard-user privileges to workstations so that successful exploitation does not yield administrative rights.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-524 for vendor-supplied remediation guidance. Users should download the most recent IrfanView release and matching CADImage plugin version from the official vendor sites and verify the installed plugin DLL version after upgrade.

Workarounds

  • Uninstall the CADImage plugin until a fixed version is deployed if DWG rendering in IrfanView is not required.
  • Associate .dwg files with a dedicated CAD application that is not affected by this vulnerability, rather than IrfanView.
  • Open untrusted DWG files only inside a disposable virtual machine or sandboxed environment isolated from production data.
bash
# Remove the CADImage plugin DLL from a managed IrfanView install (Windows, run as admin)
set IRFAN_DIR="C:\Program Files\IrfanView\Plugins"
if exist %IRFAN_DIR%\CADIMAGE.DLL (
    takeown /f %IRFAN_DIR%\CADIMAGE.DLL
    del /f /q %IRFAN_DIR%\CADIMAGE.DLL
)

# Block .dwg attachments at the mail transport layer (Exchange example)
New-TransportRule -Name "Block DWG Attachments" `
    -AttachmentExtensionMatchesWords "dwg" `
    -RejectMessageReasonText "DWG attachments are blocked due to CVE-2025-7277"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.