Skip to main content
CVE Vulnerability Database

CVE-2025-7301: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7301 is a remote code execution flaw in Cadsofttools Cadimage DWG file parser that enables attackers to execute arbitrary code via malicious files. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7301 Overview

CVE-2025-7301 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code through malformed DWG (drawing) files. The flaw resides in the plugin's DWG file parser, which fails to properly validate user-supplied data before processing it. Exploitation requires user interaction, where a target opens a malicious DWG file or visits a page that delivers one. Code executes in the context of the current user process. The vulnerability was reported through the Zero Day Initiative under tracking identifier ZDI-CAN-26380 and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation enables arbitrary code execution under the privileges of the user running IrfanView, leading to full compromise of the user context on the affected workstation.

Affected Products

  • IrfanView (x64 and x86 builds)
  • CADSoftTools CADImage Plugin for IrfanView (x64)
  • CADSoftTools CADImage Plugin for IrfanView (x86)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7301 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7301

Vulnerability Analysis

The vulnerability exists inside the CADImage Plugin's routine that parses DWG files, a binary format used by AutoCAD and other computer-aided design (CAD) software. When IrfanView loads a DWG file through the plugin, the parser reads structured fields from the file without enforcing strict bounds on attacker-controlled values. Crafted field values cause the parser to operate outside the intended memory buffer, producing a memory corruption condition.

An attacker who controls the contents of the DWG file can shape the corruption to overwrite adjacent memory structures, including data used for control-flow decisions. From there, the attacker can pivot the corrupted state into arbitrary code execution inside the IrfanView process. The attack vector is local, meaning the malicious file must reach the victim through email, web download, removable media, or a similar channel. Successful exploitation grants the attacker the same privileges as the user running IrfanView.

Root Cause

The root cause is the lack of proper validation of user-supplied data inside the DWG parsing logic of the CADImage Plugin. Untrusted length, offset, or count fields read from the file are used in memory operations without verifying that they remain within the allocated buffer, producing the out-of-bounds memory access tracked under [CWE-119].

Attack Vector

The attacker delivers a weaponized DWG file to the target and convinces the user to open it in IrfanView with the CADImage Plugin installed. Opening the file is the only required action — no further authentication or privileged interaction is needed. Refer to the Zero Day Initiative Advisory ZDI-25-548 for additional technical context.

Detection Methods for CVE-2025-7301

Indicators of Compromise

  • Unexpected crashes of i_view64.exe or i_view32.exe immediately after opening a .dwg file.
  • Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by IrfanView shortly after a DWG file open event.
  • DWG files arriving through email attachments, browser downloads, or removable media from untrusted senders.
  • Outbound network connections initiated by the IrfanView process to previously unseen domains or IP addresses.

Detection Strategies

  • Monitor for IrfanView processes loading the CADImage plugin DLL together with file handles to .dwg files originating from user download or temp directories.
  • Alert on process lineage where IrfanView is the parent of a scripting interpreter or command shell.
  • Inspect Windows Error Reporting and crash dumps that reference the CADImage plugin module for access violations.

Monitoring Recommendations

  • Collect endpoint telemetry covering process creation, image load, and file open events to reconstruct DWG-driven attack chains.
  • Flag DWG files transiting email gateways, web proxies, and file-sharing platforms where they are not expected business artifacts.
  • Track installation and version inventory of IrfanView and the CADImage Plugin across the fleet to identify exposed endpoints.

How to Mitigate CVE-2025-7301

Immediate Actions Required

  • Identify all endpoints running IrfanView with the CADImage Plugin installed and prioritize them for remediation.
  • Update IrfanView and the CADImage Plugin to the latest versions published by IrfanView and CADSoftTools.
  • Restrict opening of DWG files from untrusted sources and remove file association of .dwg with IrfanView where CAD workflows do not require it.
  • Educate users on the risk of opening unsolicited CAD attachments delivered via email or messaging platforms.

Patch Information

Review the Zero Day Initiative Advisory ZDI-25-548 for vendor coordination status. Apply the most recent IrfanView build and CADImage Plugin release from the official vendor channels. Confirm post-update versions on each endpoint to verify that the vulnerable plugin binary has been replaced.

Workarounds

  • Uninstall the CADImage Plugin from IrfanView on endpoints that do not require DWG support.
  • Block or quarantine inbound .dwg attachments at the email gateway and web proxy until patching is complete.
  • Run IrfanView under a standard user account and enforce application control policies to limit child processes it may spawn.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.