CVE-2025-7299 Overview
CVE-2025-7299 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's parsing of DWG (AutoCAD Drawing) files. Attackers can trigger memory corruption by supplying a malformed DWG file to a user running a vulnerable IrfanView installation with the CADImage Plugin enabled.
Successful exploitation enables arbitrary code execution in the context of the current process. Exploitation requires user interaction: the victim must open a malicious DWG file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26376 and is tracked under [CWE-119] Improper Restriction of Operations within the Bounds of a Memory Buffer.
Critical Impact
Remote attackers can execute arbitrary code on affected IrfanView installations when a user opens a crafted DWG file, leading to full compromise of the user context.
Affected Products
- IrfanView (x86 and x64 builds with the CADImage plugin)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7299 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7299
Vulnerability Analysis
The vulnerability exists in the DWG file parser inside the CADImage Plugin loaded by IrfanView. DWG is a proprietary binary format used by AutoCAD and compatible CAD tools to store 2D and 3D drawing data. Parsing this format requires interpreting numerous nested structures, length fields, and object references.
The CADImage parser fails to properly validate user-supplied data within a DWG file before using it in memory operations. This deficiency results in a memory corruption condition when the parser processes attacker-controlled values. Because IrfanView runs in user mode and typically loads plugins in-process, the corruption occurs inside the IrfanView process address space.
An attacker who controls the corrupted memory region can pivot to arbitrary code execution in the context of the user running IrfanView. The vector is local because the malicious file must reach the host, but delivery through web download, email attachment, or removable media is straightforward.
Root Cause
The root cause is the lack of proper validation of length, offset, or count fields parsed from a DWG file before they drive memory writes or reads. Insufficient bounds checking in the CADImage parser allows attacker-supplied values to corrupt adjacent memory, classified under [CWE-119].
Attack Vector
Exploitation requires that a user open a malicious DWG file in IrfanView with the CADImage plugin installed, or be lured into doing so via a webpage or social engineering. No authentication is required. Once the file is parsed, the corrupted memory state enables hijacking control flow within i_view32.exe or i_view64.exe.
No public proof-of-concept code is available for CVE-2025-7299. Refer to the Zero Day Initiative Advisory ZDI-25-573 for additional technical context.
Detection Methods for CVE-2025-7299
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- DWG files arriving via email, browser download, or removable media followed by IrfanView process crashes or Windows Error Reporting (WER) entries referencing the CADImage plugin DLL.
- Outbound network connections originating from the IrfanView process shortly after a DWG file is opened.
Detection Strategies
- Hunt for process lineage where IrfanView is the parent of script interpreters, LOLBins, or unsigned binaries written to user-writable paths.
- Inspect file write events from IrfanView to autorun locations such as %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and the Run registry keys.
- Correlate DWG file opens with anomalous memory allocations or module loads inside the IrfanView process using EDR telemetry.
Monitoring Recommendations
- Enable command-line and module-load logging on endpoints where IrfanView is installed and forward events to your SIEM.
- Monitor for the CADImage plugin DLL being loaded by IrfanView from non-standard paths.
- Track crash dumps and WER reports referencing IrfanView or CADImage as a leading indicator of exploitation attempts.
How to Mitigate CVE-2025-7299
Immediate Actions Required
- Inventory endpoints with IrfanView and the CADImage plugin installed and prioritize systems handling untrusted CAD content.
- Update IrfanView and the CADImage plugin to the latest version published by CADSoftTools and IrfanView once a fixed release is available.
- Block DWG attachments at the email gateway unless required, and quarantine DWG files from untrusted external sources.
- Instruct users not to open DWG files received from unknown senders or downloaded from untrusted websites.
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-573 for vendor coordination status. Apply the latest CADImage plugin and IrfanView updates published by CADSoftTools and IrfanView as soon as they are made available.
Workarounds
- Remove or disable the CADImage plugin on systems that do not require DWG support by deleting CADImage.dll from the IrfanView Plugins directory.
- Associate DWG files with a dedicated CAD viewer running in a sandboxed environment rather than IrfanView.
- Run IrfanView under a low-privilege user account and enforce application allow-listing to limit post-exploitation impact.
# Disable the CADImage plugin by renaming the DLL (run as administrator)
cd "C:\Program Files\IrfanView\Plugins"
ren CADImage.dll CADImage.dll.disabled
# Verify the plugin no longer loads
tasklist /m CADImage.dll
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

