CVE-2025-7284 Overview
CVE-2025-7284 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code on affected installations. The flaw resides in the DWG file parsing routine and stems from insufficient validation of user-supplied data [CWE-119]. Exploitation requires user interaction: a victim must open a malicious DWG file or visit a malicious page that delivers one. Successful exploitation lets an attacker run code in the context of the current process. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26220 and disclosed in advisory ZDI-25-536.
Critical Impact
Attackers can achieve arbitrary code execution in the user's process context by delivering a crafted DWG file to a vulnerable IrfanView installation.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with the CADImage plugin installed
- Windows systems running vulnerable plugin versions
Discovery Timeline
- 2025-07-21 - CVE-2025-7284 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-7284
Vulnerability Analysis
The vulnerability resides in the CADImage plugin distributed by CADSoftTools for the IrfanView image viewer. CADImage extends IrfanView with the ability to render computer-aided design formats including AutoCAD DWG. When the plugin parses a crafted DWG file, it fails to properly validate user-supplied length or offset fields embedded within the file structure. This missing validation produces a memory corruption condition that an attacker can shape to redirect execution flow. The result is arbitrary code execution within the process loading the file, which is typically i_view32.exe or i_view64.exe.
Because IrfanView is widely used as a default image viewer and supports a long list of file formats through plugins, DWG files are an attractive delivery channel. The attack surface extends to any workflow that opens untrusted image archives, email attachments, or shared design files.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer during DWG parsing [CWE-119]. The plugin trusts structural fields inside the DWG file without verifying that subsequent reads or writes remain within allocated buffers. Crafted records can therefore drive the parser into out-of-bounds memory access or write operations that corrupt adjacent structures.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious DWG file by email, web download, or a drive-by page that prompts the user to open the file with IrfanView. Once the user opens the file, the CADImage plugin parses the malformed structures and triggers the memory corruption. Code executes with the privileges of the logged-in user, which is sufficient for credential theft, persistence, or staging follow-on payloads.
No authentication is required, and the complexity of building a weaponized DWG is comparable to other file-format parsing flaws. See the Zero Day Initiative Advisory ZDI-25-536 for additional context.
Detection Methods for CVE-2025-7284
Indicators of Compromise
- Unexpected crashes of i_view32.exe or i_view64.exe with access violation faults when opening .dwg files
- DWG files arriving via email, chat, or web download from untrusted senders, especially with mismatched extensions or oversized headers
- Child processes spawned by IrfanView such as cmd.exe, powershell.exe, or rundll32.exe shortly after a file open event
- Writes to user-writable persistence locations (%AppData%, Run registry keys) following IrfanView execution
Detection Strategies
- Hunt for process lineage where IrfanView spawns scripting interpreters or LOLBins, which is uncommon during normal viewing activity
- Monitor Windows Error Reporting (WER) and crash dumps referencing the CADImage plugin module for parsing failures
- Inspect file-open telemetry to correlate .dwg extensions with subsequent suspicious network connections or file writes
Monitoring Recommendations
- Enable command-line and module-load logging on endpoints running IrfanView to capture plugin activity
- Forward endpoint telemetry to a centralized data lake and apply behavioral rules that flag image viewers launching interpreters
- Track inbound DWG attachments at email gateways and sandbox detonate them before delivery
How to Mitigate CVE-2025-7284
Immediate Actions Required
- Inventory endpoints with IrfanView installed and identify those carrying the CADImage plugin
- Restrict file associations so DWG files do not open automatically in IrfanView for standard users
- Block or quarantine DWG attachments at the email gateway pending patch deployment
- Educate users to avoid opening unsolicited CAD files and to verify the origin of design assets
Patch Information
At the time of publication, refer to the Zero Day Initiative Advisory ZDI-25-536 and the CADSoftTools and IrfanView vendor pages for the latest plugin update. Apply the most recent CADImage plugin release and the latest IrfanView build that includes the corrected DWG parser. Verify the installed plugin version after patching and remove any orphaned older copies from per-user installation directories.
Workarounds
- Uninstall the CADImage plugin from IrfanView if DWG support is not required for business operations
- Use Windows AppLocker or WDAC policies to prevent execution of unsigned or unexpected DWG handlers
- Run IrfanView under a low-privilege standard user account, never as administrator, to limit post-exploitation impact
- Open untrusted DWG files only inside a disposable virtual machine or sandboxed environment
# Example: remove DWG file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.dwg\OpenWithProgids" /v "IrfanView" /f
reg delete "HKLM\SOFTWARE\Classes\IrfanView.DWG" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

