CVE-2025-7297 Overview
CVE-2025-7297 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code on affected installations. The flaw resides in the plugin's parsing of DWG files, a CAD drawing format commonly opened through IrfanView. Exploitation requires user interaction: the target must open a malicious DWG file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26244 and disclosed in advisory ZDI-25-545. Code executes in the context of the current user process, giving attackers the same privileges as the logged-in user.
Critical Impact
Successful exploitation results in arbitrary code execution in the context of the IrfanView process, enabling full compromise of user data and credentials on the affected host.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- Windows systems running vulnerable IrfanView installations with CADImage installed
Discovery Timeline
- 2025-07-21 - CVE-2025-7297 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7297
Vulnerability Analysis
The vulnerability is a memory corruption issue [CWE-119] triggered during DWG file parsing inside the CADImage plugin. DWG is a binary CAD format with nested records and length-prefixed structures, which makes it a frequent target for parser flaws. An attacker crafts a DWG file containing malformed structures that the plugin fails to validate before copying into memory. When IrfanView loads the file through the CADImage handler, the corrupted state allows the attacker to overwrite adjacent data or control structures. Because the plugin runs in-process with IrfanView, the resulting code execution inherits the user's privileges and access to the file system.
Root Cause
The root cause is the lack of proper validation of user-supplied data within the DWG parsing routines of the CADImage plugin. Length fields, offsets, or record sizes from the untrusted file are used without bounds checking, leading to a memory corruption condition during deserialization of DWG structures.
Attack Vector
The attack vector is local file processing with required user interaction. An attacker delivers a malicious DWG file by email, web download, shared drive, or drive-by page. When the user opens the file with IrfanView, or with a tool that invokes IrfanView as a viewer, the CADImage plugin parses the file and triggers the flaw. No network authentication is needed and no separate privilege is required beyond what the target user already holds.
No public proof-of-concept code is available for CVE-2025-7297. Technical details are tracked in the Zero Day Initiative Advisory ZDI-25-545.
Detection Methods for CVE-2025-7297
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly cmd.exe, powershell.exe, or rundll32.exe
- DWG files arriving from email attachments, browser downloads, or removable media immediately before IrfanView process anomalies
- Crash dumps or Windows Error Reporting events referencing the CADImage plugin DLL during DWG file open operations
- Outbound network connections initiated by the IrfanView process to unknown hosts shortly after a DWG file is opened
Detection Strategies
- Hunt for process lineage where IrfanView spawns scripting interpreters, LOLBins, or unsigned binaries from user-writable paths
- Inspect file write activity by IrfanView outside expected output directories, including %TEMP%, %APPDATA%, and startup folders
- Correlate DWG file open events with module loads of the CADImage plugin DLL and subsequent abnormal memory allocations
Monitoring Recommendations
- Forward endpoint process, file, and module-load telemetry to a central analytics platform and alert on IrfanView spawning non-image-handling children
- Track inbound DWG attachments through email security gateways and tag sender reputation to drive prioritized review
- Enable Windows Defender Exploit Guard or equivalent attack surface reduction rules that block child process creation from Office and viewer applications
How to Mitigate CVE-2025-7297
Immediate Actions Required
- Inventory all endpoints running IrfanView and identify those with the CADImage plugin installed
- Update IrfanView and the CADImage plugin to the latest versions provided by IrfanView and CADSoftTools
- Restrict opening of DWG files from untrusted sources until patched versions are deployed across the environment
- Apply the principle of least privilege so that users running IrfanView do not hold local administrator rights
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-545 for the current vendor remediation status. Install the latest IrfanView release and the latest CADImage plugin build from CADSoftTools, then verify the installed plugin version on each host after deployment.
Workarounds
- Remove the CADImage plugin from IrfanView installations where DWG support is not required
- Block DWG file attachments at the email gateway and on web proxies for user groups that do not need CAD workflows
- Disassociate the .dwg extension from IrfanView so that double-clicking a DWG file does not invoke the vulnerable parser
- Run IrfanView in a sandboxed or virtualized environment when DWG files from external sources must be reviewed
# Remove DWG file association for IrfanView (run as administrator)
reg delete "HKCR\.dwg" /f
reg delete "HKCR\IrfanView.DWG" /f
# Block DWG attachments at Exchange Online (PowerShell)
New-TransportRule -Name "Block DWG Attachments" \
-AttachmentExtensionMatchesWords "dwg" \
-RejectMessageReasonText "DWG attachments blocked pending CVE-2025-7297 remediation"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

