CVE-2025-7281 Overview
CVE-2025-7281 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw resides in the parser that handles DWG (AutoCAD Drawing) files. The plugin fails to properly validate user-supplied data, allowing attackers to corrupt memory during file processing. An attacker can leverage this condition to execute arbitrary code in the context of the current process.
Exploitation requires user interaction. The target must open a malicious DWG file or visit a page that delivers one. The Zero Day Initiative tracked this issue as ZDI-CAN-26215 and published advisory ZDI-25-529. The weakness is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DWG file opened in IrfanView with the CADImage Plugin can trigger arbitrary code execution in the user's session.
Affected Products
- IrfanView (x64 and x86 builds)
- CADSoftTools CADImage Plugin for IrfanView (x64 and x86 builds)
- Workstations using IrfanView as a default DWG handler
Discovery Timeline
- 2025-07-21 - CVE-2025-7281 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7281
Vulnerability Analysis
The vulnerability exists in the DWG file parsing routines inside the CADImage Plugin distributed by CADSoftTools for IrfanView. DWG is a binary CAD format containing structured records that describe drawing entities, headers, and object tables. Parsing these structures requires strict bounds checking between length fields embedded in the file and the destination buffers used during decoding.
The CADImage Plugin trusts attacker-controlled size and offset values without validating them against allocated buffer boundaries. When the plugin processes a malformed record, it reads or writes beyond the intended memory region. This memory corruption can be shaped to overwrite adjacent data, function pointers, or control structures used by the IrfanView process.
Because IrfanView runs in the user's security context, successful exploitation yields code execution at that privilege level. Refer to the ZDI-25-529 advisory for vendor-coordinated technical details.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer during DWG parsing. The plugin does not enforce that record lengths, entity counts, or offset fields fall within the bounds of allocated memory. Crafted values redirect reads and writes outside the buffer, producing a corruption condition consistent with [CWE-119].
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious .dwg file through email, a download link, a shared drive, or a web page. The victim opens the file in IrfanView, which loads the CADImage Plugin to render it. Parsing the malicious file triggers memory corruption and hands execution to attacker-controlled data.
The vulnerability does not require authentication or network access to the target. Phishing and drive-by download scenarios are realistic delivery paths because DWG files are commonly exchanged in engineering and architecture workflows.
No public proof-of-concept code is available at the time of writing. See the ZDI-25-529 advisory for additional context.
Detection Methods for CVE-2025-7281
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command shells, rundll32.exe, or scripting hosts
- Crashes or Windows Error Reporting events referencing CADImage.dll during DWG file handling
- DWG files delivered through email or web downloads from untrusted sources, especially those with anomalous size or structure
- Outbound network connections initiated by the IrfanView process shortly after a file open event
Detection Strategies
- Monitor for IrfanView processes loading CADImage.dll followed by process creation or memory injection events
- Hunt for file write activity to startup, scheduled task, or autorun locations originating from the IrfanView process tree
- Correlate Windows Defender Application Control or AppLocker telemetry with DWG file opens to surface unsigned or unexpected modules
Monitoring Recommendations
- Enable command-line auditing and Sysmon Event IDs 1, 7, and 11 to capture process, module load, and file create activity
- Track DWG file delivery in mail gateways and web proxies, and quarantine messages from external senders containing CAD attachments
- Alert on user accounts that open DWG files outside of normal CAD or engineering workflows
How to Mitigate CVE-2025-7281
Immediate Actions Required
- Inventory endpoints running IrfanView with the CADImage Plugin installed and identify business owners
- Restrict opening of DWG files from untrusted sources until a patched plugin version is deployed
- Remove or disable the CADImage Plugin on systems that do not require DWG support in IrfanView
- Reinforce user awareness on the risk of opening CAD files received through email or messaging platforms
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-529 and the CADSoftTools and IrfanView product pages for the latest plugin and application releases. Apply the updated CADImage Plugin build provided by CADSoftTools and the corresponding IrfanView version as soon as it is available. Confirm the installed plugin version under IrfanView's Plugins menu after patching.
Workarounds
- Uninstall the CADImage Plugin from IrfanView installations that do not need CAD file support
- Block .dwg attachments at the email gateway and quarantine inbound CAD files for inspection
- Change the default handler for .dwg files to a vetted CAD application rather than IrfanView
- Enforce least privilege so IrfanView runs under standard user accounts, limiting the impact of successful exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

