Skip to main content
CVE Vulnerability Database

CVE-2025-7300: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7300 is a remote code execution flaw in Cadsofttools Cadimage that enables attackers to execute arbitrary code through malicious DWG files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-7300 Overview

CVE-2025-7300 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the plugin's DWG file parsing logic and allows attackers to execute arbitrary code in the context of the IrfanView process. Exploitation requires user interaction, such as opening a malicious DWG file or visiting a page that delivers one. The Zero Day Initiative tracks this issue as ZDI-CAN-26377 and published advisory ZDI-25-547. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation results in arbitrary code execution under the privileges of the user running IrfanView, enabling full compromise of the user session.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86 and x64 builds) with the CADImage plugin installed
  • Workstations processing DWG files through IrfanView

Discovery Timeline

  • 2025-07-21 - CVE-2025-7300 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7300

Vulnerability Analysis

The vulnerability lives inside the CADImage plugin, which extends IrfanView to render CAD formats including AutoCAD DWG. When the plugin parses a crafted DWG file, it fails to validate user-supplied data correctly before using it to drive memory operations. This results in a memory corruption condition that an attacker can shape to hijack execution flow. The Zero Day Initiative advisory ZDI-25-547 documents the issue as a remote code execution vector triggered through file parsing.

Because the CADImage plugin executes inside the IrfanView process, any code the attacker plants runs with the same privileges as the user who opened the file. Standard endpoint users frequently double-click drawing files received over email or downloaded from the web, which provides a realistic delivery path.

Root Cause

The root cause is missing validation of fields inside the DWG file structure during parsing. DWG is a complex binary format containing offsets, length fields, and object references. When the plugin trusts attacker-controlled length or index values, it reads or writes outside the allocated buffer. This boundary failure aligns with [CWE-119] and produces the memory corruption primitive used to gain control.

Attack Vector

An attacker crafts a malicious DWG file and delivers it through phishing, a watering-hole page, or a shared file repository. The victim opens the file with IrfanView, the CADImage plugin processes the malformed structures, and corrupted memory allows the attacker to redirect execution. The attack vector is local and requires user interaction, but no authentication or elevated privileges are needed on the target system.

No public proof-of-concept exploit is currently listed for CVE-2025-7300. Technical specifics are described in the Zero Day Initiative Advisory ZDI-25-547.

Detection Methods for CVE-2025-7300

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, especially command shells, script interpreters, or rundll32.exe
  • DWG files delivered via email attachments, browser downloads, or removable media that trigger IrfanView execution
  • Crashes or Windows Error Reporting entries referencing the CADImage plugin module shortly before suspicious process activity
  • Outbound network connections initiated by the IrfanView process to unfamiliar hosts after a DWG file is opened

Detection Strategies

  • Hunt for process lineage where IrfanView is the parent of interactive shells, PowerShell, or living-off-the-land binaries
  • Inspect file-open telemetry for .dwg extensions handled by IrfanView on endpoints that do not normally process CAD files
  • Correlate IrfanView module load events for the CADImage plugin with subsequent memory allocation anomalies or access violations

Monitoring Recommendations

  • Forward endpoint process, file, and module-load events to a centralized analytics platform for retrospective hunting
  • Alert on DWG files originating from external sources opened by non-engineering users
  • Track IrfanView crash signatures across the fleet to identify exploitation attempts that fail before achieving code execution

How to Mitigate CVE-2025-7300

Immediate Actions Required

  • Inventory endpoints running IrfanView with the CADImage plugin installed and prioritize those handling externally sourced files
  • Block or quarantine inbound DWG attachments at the email gateway until patched versions are deployed
  • Restrict file-type associations so DWG files do not automatically open with IrfanView for non-CAD users
  • Apply application allowlisting that prevents IrfanView from spawning shell or scripting interpreters

Patch Information

No vendor patch URL is published in the NVD data for CVE-2025-7300 at the time of writing. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-547 and CADSoftTools release channels for the fixed CADImage plugin build, and update to the latest IrfanView version that bundles the corrected plugin.

Workarounds

  • Remove or disable the CADImage plugin from IrfanView installations where DWG rendering is not required
  • Open untrusted DWG files only inside an isolated virtual machine or sandboxed environment
  • Enforce Windows Mark-of-the-Web handling so files from the internet are blocked from automatic processing
  • Train users to validate the source of CAD files before opening them with IrfanView

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.