CVE-2025-7280 Overview
CVE-2025-7280 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the parsing logic for DWG (AutoCAD Drawing) files and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can craft a malicious DWG file that triggers memory corruption when opened in IrfanView, leading to arbitrary code execution in the context of the current process. Exploitation requires user interaction — the victim must open the malicious file or visit a page that delivers it. The issue was reported through the Zero Day Initiative as ZDI-CAN-26214 and published as advisory ZDI-25-528.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, with full impact on confidentiality, integrity, and availability.
Affected Products
- IrfanView (x64 and x86) installations bundling the CADImage Plugin
- CADSoftTools CADImage Plugin for IrfanView (x64)
- CADSoftTools CADImage Plugin for IrfanView (x86)
Discovery Timeline
- 2025-07-21 - CVE-2025-7280 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7280
Vulnerability Analysis
The vulnerability exists within the DWG file parser implemented by the CADImage Plugin, which extends IrfanView with support for AutoCAD-format drawings. When the plugin processes a DWG file, it fails to properly validate fields supplied within the file structure before using them in memory operations. A crafted file can drive the parser into an out-of-bounds memory access, corrupting adjacent process memory.
Because IrfanView is a desktop image viewer commonly associated with file types through Windows Explorer, opening a file from email, removable media, or a download is sufficient to reach the vulnerable parser. The Zero Day Initiative tracks this issue under advisory ZDI-25-528.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] inside the CADImage DWG handler. Length, offset, or count fields read from the attacker-controlled DWG structure are trusted without bounds checking, allowing the parser to read or write outside the intended buffer.
Attack Vector
The attack vector is local file processing with required user interaction. An attacker hosts or distributes a malicious DWG file and induces the victim to open it in an IrfanView installation that has the CADImage Plugin enabled. Once parsing begins, the corruption primitive can be steered to hijack control flow and execute attacker-controlled code in the context of the IrfanView process. No authentication is required by the attacker, and no elevated privileges are needed to trigger the bug.
No public proof-of-concept code has been published. For technical details refer to the Zero Day Initiative Advisory ZDI-25-528.
Detection Methods for CVE-2025-7280
Indicators of Compromise
- Unexpected crashes of i_view64.exe or i_view32.exe correlated with DWG file opens, often visible as Windows Error Reporting (WER) entries referencing the CADImage plugin module.
- DWG files arriving via email attachments, instant messaging, or browser downloads from untrusted sources, especially with mismatched extensions or embedded in archives.
- Child processes spawned by IrfanView (for example cmd.exe, powershell.exe, or rundll32.exe) shortly after a DWG file is opened.
Detection Strategies
- Hunt for process lineage where IrfanView (i_view*.exe) is the parent of script interpreters or LOLBins, which is highly unusual for a viewer application.
- Inspect file telemetry for .dwg files written to user directories such as %TEMP%, %USERPROFILE%\Downloads, and email client cache paths, then opened by IrfanView.
- Correlate IrfanView crash events with subsequent network connections from the same host to identify post-exploitation beaconing.
Monitoring Recommendations
- Enable command-line and module load auditing on endpoints where IrfanView is installed, and forward events to a centralized analytics platform.
- Track loads of CADImage plugin DLLs by IrfanView and alert when followed by anomalous memory allocations or thread creations.
- Monitor for new persistence artifacts (Run keys, scheduled tasks, startup folder entries) created in the minutes following DWG file activity.
How to Mitigate CVE-2025-7280
Immediate Actions Required
- Inventory all endpoints running IrfanView and identify which have the CADImage Plugin installed.
- Remove or disable the CADImage Plugin on systems that do not require DWG/DXF viewing until a fixed version is confirmed installed.
- Block inbound DWG attachments at the email gateway and quarantine DWG files originating from untrusted external sources.
- Restrict file association so that DWG files do not open automatically in IrfanView from web or email contexts.
Patch Information
At the time of NVD publication, no vendor patch URL is referenced in the advisory metadata. Administrators should consult CADSoftTools and IrfanView download pages for the latest CADImage Plugin release that addresses ZDI-CAN-26214 / ZDI-25-528, and apply the update across all affected x86 and x64 installations.
Workarounds
- Uninstall the CADImage Plugin from IrfanView on hosts that do not need CAD format support.
- Apply application allow-listing to prevent IrfanView from spawning interpreters such as cmd.exe, powershell.exe, or wscript.exe.
- Run IrfanView under a standard user account and enable Windows Exploit Protection (DEP, ASLR, CFG) for i_view64.exe and i_view32.exe.
- Train users to avoid opening DWG files from untrusted sources and to verify sender authenticity before opening CAD attachments.
# Example: enable Windows Exploit Protection mitigations for IrfanView via PowerShell
Set-ProcessMitigation -Name "i_view64.exe" -Enable DEP,EmulateAtlThunks,ForceRelocateImages,BottomUp,HighEntropy,SEHOP,CFG,StrictCFG
Set-ProcessMitigation -Name "i_view32.exe" -Enable DEP,EmulateAtlThunks,ForceRelocateImages,BottomUp,SEHOP,CFG,StrictCFG
# Optional: remove DWG file association tied to IrfanView
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dwg\UserChoice" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

