CVE-2025-7295 Overview
CVE-2025-7295 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the parsing logic for DWG (AutoCAD Drawing) files and allows attackers to execute arbitrary code in the context of the IrfanView process. Exploitation requires user interaction: a target must open a crafted DWG file or visit a page that delivers one. The Zero Day Initiative tracks the issue as ZDI-CAN-26242 and published advisory ZDI-25-544. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Attackers can achieve arbitrary code execution on Windows endpoints running vulnerable IrfanView installations after a user opens a malicious DWG file.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7295 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7295
Vulnerability Analysis
The vulnerability exists in the DWG file parser shipped with the CADImage plugin for IrfanView. DWG is a proprietary binary format used by AutoCAD and related CAD applications, containing structured records for entities, blocks, and metadata. The CADImage parser processes these records to render previews inside IrfanView. When a crafted DWG file is loaded, the parser mishandles untrusted size or offset fields, producing a memory corruption condition that an attacker can shape into arbitrary code execution.
Because IrfanView is widely registered as the default handler for graphics formats on Windows, simply double-clicking a DWG file or rendering a thumbnail can invoke the vulnerable code path. The attacker executes code with the privileges of the logged-on user, providing a foothold for further lateral movement or persistence.
Root Cause
The root cause is a lack of proper validation of user-supplied data during DWG parsing, mapped to [CWE-119]. Length, count, or offset fields read from the DWG file are trusted without verification against the actual size of the destination buffer or source data. The resulting out-of-bounds memory access corrupts adjacent process structures, including pointers and control data that influence later execution flow.
Attack Vector
The attack is local and requires user interaction. An attacker delivers a malicious DWG file through email attachment, drive-by download, file-sharing service, or a web page that prompts the user to open the file. When the victim opens the file with IrfanView, or previews it through the CADImage plugin, the parser triggers the memory corruption. No elevated privileges are required from the attacker, and the resulting code runs in the security context of the current user.
No proof-of-concept code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical specifics are documented in the Zero Day Initiative Advisory ZDI-25-544.
Detection Methods for CVE-2025-7295
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- Crashes or Windows Error Reporting events referencing CADImage.dll or DWG-handling modules within IrfanView.
- DWG files arriving via email or download from untrusted sources, especially with mismatched MIME types or unusual file sizes.
- Outbound network connections initiated by the IrfanView process immediately after a file open event.
Detection Strategies
- Monitor process creation events where the parent is IrfanView and the child is a scripting host, LOLBin, or networking utility.
- Inspect endpoint telemetry for module loads of CADImage.dll followed by exception or access-violation events.
- Apply YARA or content-inspection rules on email gateways and proxies to flag DWG attachments from external senders.
- Correlate file-open events for .dwg extensions with subsequent suspicious process or registry activity on the same host.
Monitoring Recommendations
- Enable command-line and module-load logging through Sysmon or equivalent EDR telemetry on workstations running IrfanView.
- Forward IrfanView crash dumps and Application event log entries to a centralized SIEM for review.
- Baseline normal IrfanView behavior so that anomalous child processes or network calls generate high-fidelity alerts.
How to Mitigate CVE-2025-7295
Immediate Actions Required
- Update the CADImage plugin and IrfanView to the latest versions released by CADSoftTools and IrfanView once a fixed build is available.
- Restrict opening of DWG files originating from external email, messaging, or web sources until patches are applied.
- Remove or disable the CADImage plugin on endpoints that do not require CAD preview functionality.
- Inventory hosts running IrfanView using software asset management tools and prioritize patching for users who handle CAD content.
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-544 for vendor coordination status and follow CADSoftTools and IrfanView official download channels for the patched plugin and host application releases. Verify version numbers after installation to confirm the fixed build is in place.
Workarounds
- Unregister IrfanView as the default handler for .dwg files and route CAD previews through a sandboxed or dedicated CAD application.
- Block .dwg attachments at the email gateway or quarantine them for inspection when the sender is external.
- Apply Windows Defender Application Control or AppLocker policies that prevent IrfanView from spawning script interpreters and command shells.
# Example PowerShell to remove the .dwg file association for IrfanView
# Run from an elevated session; verify before deployment
Reg.exe delete "HKCR\.dwg" /f
Reg.exe delete "HKCR\IrfanView.DWG" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

