CVE-2025-7302 Overview
CVE-2025-7302 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by Cadsofttools. The flaw resides in the plugin's DWG file parser, where insufficient validation of user-supplied data leads to memory corruption during parsing. An attacker can exploit the issue to execute arbitrary code in the context of the current user process. Exploitation requires user interaction: the victim must open a crafted DWG file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative under tracking identifier ZDI-CAN-26381 and disclosed in advisory ZDI-25-549.
Critical Impact
Successful exploitation grants arbitrary code execution within the IrfanView process, enabling attackers to drop malware, steal data, or pivot to additional systems from a single opened DWG file.
Affected Products
- Cadsofttools CADImage Plugin for IrfanView (x86)
- Cadsofttools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations using the CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7302 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7302
Vulnerability Analysis
The vulnerability resides in the CADImage plugin's handler for AutoCAD Drawing (.dwg) files. The DWG format is a complex binary container with multiple sections, object handles, and length-prefixed records. When the plugin parses one of these structures, it fails to validate user-controlled size or index fields before using them in memory operations. This results in a memory corruption condition consistent with [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Attackers can craft a DWG file that overwrites adjacent memory, including control data such as function pointers or vtable entries, leading to arbitrary code execution.
Root Cause
The root cause is the lack of proper validation of user-supplied data inside the DWG parsing routines of the CADImage plugin. Length fields, offsets, or object counts read from the file are trusted without bounds checks. The parser then performs reads or writes that exceed the allocated buffer, corrupting process memory.
Attack Vector
Exploitation is local and requires user interaction. An attacker delivers a malicious DWG file through email, a download link, a network share, or an embedded resource on a webpage. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser processes the malformed structures and triggers the memory corruption. Code execution occurs with the privileges of the user running IrfanView.
No public proof-of-concept exploit was listed at the time of disclosure. Refer to the Zero Day Initiative Advisory ZDI-25-549 for additional technical context.
Detection Methods for CVE-2025-7302
Indicators of Compromise
- DWG files received from untrusted email senders, file-sharing links, or instant messaging platforms, particularly when delivered to users with IrfanView installed.
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- Crash dumps or Windows Error Reporting events referencing the CADImage plugin module after opening a DWG file.
Detection Strategies
- Monitor endpoint telemetry for IrfanView processes loading the CADImage plugin DLL followed by anomalous memory allocations, thread creation, or network connections.
- Apply behavioral identification rules that flag image viewer processes performing actions inconsistent with file viewing, such as writing to startup locations or accessing credential stores.
- Inspect inbound DWG attachments at the email gateway and sandbox them before delivery to endpoints.
Monitoring Recommendations
- Maintain an inventory of endpoints with IrfanView and the CADImage plugin installed and prioritize them for patching.
- Centralize Windows Error Reporting and EDR crash telemetry to identify exploitation attempts that fail or trigger crashes.
- Track file-open events for .dwg extensions originating from user download or temporary directories.
How to Mitigate CVE-2025-7302
Immediate Actions Required
- Update the IrfanView CADImage plugin to the latest version released by Cadsofttools that addresses the DWG parsing flaw.
- Restrict opening DWG files to trusted sources and route untrusted samples through an isolated analysis environment.
- Remove the CADImage plugin from systems that do not require CAD file viewing to reduce attack surface.
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-549 and the Cadsofttools product page for the fixed plugin version. Apply the updated plugin to all IrfanView x86 and x64 installations. No vendor advisory URL was listed in the NVD entry at publication time, so confirm the fix directly with Cadsofttools before deployment.
Workarounds
- Uninstall the CADImage plugin on endpoints where users do not need DWG support.
- Block .dwg attachments at email and web gateways until patched plugin versions are deployed.
- Apply application allowlisting to prevent IrfanView from spawning interpreters or scripting hosts such as cmd.exe and powershell.exe.
# Example: remove the CADImage plugin DLL from a managed Windows endpoint
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

