CVE-2025-7279 Overview
CVE-2025-7279 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin. The flaw exists in the parsing logic for Computer Graphics Metafile (CGM) files. The plugin fails to properly validate user-supplied data, allowing a read past the end of an allocated buffer. Attackers can leverage this condition to execute arbitrary code in the context of the current process.
Exploitation requires user interaction. A victim must open a crafted CGM file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26213 and disclosed in advisory ZDI-25-527.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the IrfanView process, enabling full compromise of the user's session.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) installations using the CADImage plugin
- Windows endpoints with vulnerable plugin versions installed
Discovery Timeline
- 2025-07-21 - CVE-2025-7279 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7279
Vulnerability Analysis
The vulnerability resides in the CADImage plugin's CGM file parser. CGM is a binary vector graphics format containing structured records that describe graphical elements. The parser reads length and offset fields directly from the file and uses them as indices into in-memory buffers without sufficient bounds checking.
When the parser encounters a crafted record with manipulated size or pointer fields, it reads memory beyond the allocated buffer. The out-of-bounds read can leak sensitive process memory and, more critically, enables attacker-controlled values to influence subsequent operations. By chaining the read primitive with predictable heap layouts, an attacker can pivot to arbitrary code execution within the IrfanView process.
The CWE-125 classification confirms the underlying weakness as improper restriction of operations within the bounds of a memory buffer. Because IrfanView is widely deployed as a default image viewer, CGM files associated with the plugin can be opened with a double-click.
Root Cause
The root cause is missing validation of length and offset fields parsed from untrusted CGM input. The plugin trusts attacker-controlled metadata to compute buffer accesses, violating safe memory access patterns expected during binary format parsing.
Attack Vector
The attack vector is local but requires user interaction. An attacker delivers a malicious .cgm file through email attachments, drive-by downloads, archive bundles, or file-sharing platforms. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser triggers the out-of-bounds read and exploitation occurs in-process.
The vulnerability mechanism is documented in the Zero Day Initiative Advisory ZDI-25-527. No public proof-of-concept exploit is currently available.
Detection Methods for CVE-2025-7279
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning command shells, powershell.exe, or rundll32.exe
- CGM files (.cgm extension) delivered through email, archives, or web downloads from untrusted sources
- IrfanView process crashes referencing the CADImage.dll plugin module in Windows Error Reporting
- Outbound network connections initiated by the IrfanView process shortly after opening a CGM file
Detection Strategies
- Deploy behavioral endpoint detection rules that flag image viewers spawning interpreters or shells
- Apply YARA rules targeting malformed CGM header structures with anomalous record length fields
- Monitor for IrfanView process memory access violations and exceptions logged in the Windows Application event log
- Inspect email gateways and web proxies for .cgm attachments and downloads, which are uncommon in most enterprises
Monitoring Recommendations
- Enable command-line auditing (Event ID 4688) to capture child processes of IrfanView
- Forward Sysmon Event IDs 1, 7, and 11 to a centralized SIEM for correlation
- Track installation of the CADImage plugin across the fleet via software inventory tools
How to Mitigate CVE-2025-7279
Immediate Actions Required
- Identify all endpoints with IrfanView and the CADImage plugin installed using software inventory
- Block delivery of .cgm files at email gateways and web proxies until patched
- Restrict file association of .cgm to a sandboxed viewer or remove the association entirely
- Communicate to users not to open CGM files received from untrusted sources
Patch Information
No vendor advisory URL was published at the time of NVD entry. Administrators should monitor the CADSoftTools CADImage plugin page and the IrfanView download site for updated plugin builds. Apply the latest CADImage plugin release once the vendor confirms the fix referenced in ZDI-25-527.
Workarounds
- Uninstall the CADImage plugin from IrfanView installations where CGM rendering is not required
- Remove the .cgm file association from IrfanView to prevent automatic parsing on double-click
- Run IrfanView under a low-privilege user account or within an application sandbox such as Windows Sandbox
- Enforce Attack Surface Reduction rules that block Office and image viewers from creating child processes
# Windows: remove .cgm file association to mitigate automatic parsing
assoc .cgm=
ftype IrfanView.CGM=
# Optional: deny execution of CADImage plugin DLL via AppLocker / WDAC policy
icacls "%ProgramFiles%\IrfanView\Plugins\CADImage.dll" /deny Everyone:(RX)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

