Skip to main content
CVE Vulnerability Database

CVE-2025-7283: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7283 is a remote code execution vulnerability in Cadsofttools Cadimage that enables attackers to execute arbitrary code through malicious DWG files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7283 Overview

CVE-2025-7283 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the plugin's parsing of DWG files, a common CAD drawing format. Attackers can leverage improper validation of user-supplied data to corrupt memory and execute arbitrary code in the context of the current IrfanView process.

Exploitation requires user interaction. A target must open a malicious DWG file or visit a page that delivers one. The issue was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-26219 and disclosed in advisory ZDI-25-531. The vulnerability maps to [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation grants attackers arbitrary code execution with the privileges of the IrfanView user, enabling malware installation, credential theft, and lateral movement.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations bundling the CADImage Plugin
  • Windows systems where the plugin is registered to handle DWG files

Discovery Timeline

  • 2025-07-21 - CVE-2025-7283 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7283

Vulnerability Analysis

The vulnerability resides in the DWG file parser within the CADImage Plugin loaded by IrfanView. DWG is a proprietary binary format used by AutoCAD and compatible tools to store 2D and 3D design data. The parser reads structured records describing entities, headers, and object tables from the file.

The plugin fails to properly validate fields supplied by the DWG file before using them in memory operations. This missing bounds check produces a memory corruption condition classified under [CWE-119]. Attackers who control the malformed field values can overwrite adjacent memory structures, including function pointers or heap metadata.

Because IrfanView invokes the plugin whenever it opens a DWG file, exploitation follows the standard client-side file-format attack pattern. The Zero Day Initiative advisory tracks additional technical context under ZDI-25-531.

Root Cause

The root cause is the lack of proper validation of user-supplied data inside the DWG parsing routines of the CADImage Plugin. Length or index fields extracted from the file are trusted without verification, allowing writes or reads outside allocated buffer boundaries. This condition maps directly to [CWE-119].

Attack Vector

The attack vector is local and requires user interaction. An attacker crafts a malicious DWG file and delivers it through email attachments, drive-by downloads, shared network storage, or web pages that prompt the user to open the file. When the victim opens the file in IrfanView with the CADImage Plugin installed, the parser processes the malicious data and triggers memory corruption. Code executes in the security context of the current user.

No authenticated code example or public proof of concept is available. Refer to the Zero Day Initiative Advisory ZDI-25-531 for technical detail from the disclosing party.

Detection Methods for CVE-2025-7283

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe process crashes with access violation exceptions after opening DWG files
  • IrfanView spawning child processes such as cmd.exe, powershell.exe, or rundll32.exe shortly after opening a CAD file
  • Inbound DWG attachments or downloads from untrusted origins immediately preceding suspicious endpoint activity
  • Outbound network connections initiated by the IrfanView process to unfamiliar hosts

Detection Strategies

  • Hunt for process lineage anomalies where IrfanView is the parent of interpreters, script hosts, or persistence-related binaries
  • Alert on module loads of CADImage.dll followed by heap or stack corruption crash events in Windows Error Reporting
  • Inspect email and web gateway telemetry for .dwg file transfers to users running IrfanView

Monitoring Recommendations

  • Enable EDR file-write and process-execution telemetry on hosts where IrfanView is installed
  • Forward Windows Application and Security event logs to a central data lake for correlation of crash events with subsequent process launches
  • Track software inventory to identify endpoints running vulnerable versions of the CADImage Plugin

How to Mitigate CVE-2025-7283

Immediate Actions Required

  • Inventory all endpoints running IrfanView and identify installations that include the CADImage Plugin
  • Block DWG files from untrusted senders at the email and web proxy layer until patches are applied
  • Instruct users not to open DWG files from unknown or unverified sources
  • Restrict IrfanView execution to standard user accounts, avoiding administrative contexts

Patch Information

At the time of NVD publication, CADSoftTools had not released a public advisory referenced in NVD. Monitor the Zero Day Initiative Advisory ZDI-25-531 and the CADSoftTools and IrfanView vendor sites for updated CADImage Plugin builds that address the DWG parsing flaw. Apply the fixed version to all affected x86 and x64 installations.

Workarounds

  • Uninstall or disable the CADImage Plugin in IrfanView until a patched version is available
  • Remove DWG file associations from IrfanView so users cannot open the format by double-click
  • Use application control policies to prevent IrfanView from loading CADImage.dll on endpoints that do not require CAD viewing
  • Enable Windows Defender Exploit Guard mitigations such as Data Execution Prevention and Control Flow Guard for the IrfanView process
bash
# Example: block DWG association and remove plugin DLL on Windows
reg delete "HKCU\Software\Classes\.dwg" /f
ren "C:\Program Files\IrfanView\Plugins\CADImage.dll" CADImage.dll.disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.