CVE-2025-7303 Overview
CVE-2025-7303 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the DWG file parsing logic and stems from insufficient validation of user-supplied data [CWE-119]. Attackers who convince a user to open a crafted DWG file can trigger memory corruption and execute arbitrary code in the context of the current process. The Zero Day Initiative tracked this issue as ZDI-CAN-26384 and published advisory ZDI-25-550.
Critical Impact
Successful exploitation grants arbitrary code execution within the IrfanView process, enabling attackers to install malware, steal data, or establish persistence on the victim host.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7303 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7303
Vulnerability Analysis
The vulnerability resides in the CADImage Plugin's handler for DWG (AutoCAD Drawing) files. DWG is a proprietary binary format containing geometry, layers, and metadata structures parsed by record length and offset fields. The plugin reads attacker-controlled values from the DWG file and uses them to drive memory operations without verifying bounds or integrity.
When IrfanView loads a malicious DWG file through the CADImage Plugin, the parser writes outside the boundaries of an allocated buffer or operates on undersized structures. This memory corruption corrupts adjacent heap or stack data, including return addresses, function pointers, or object virtual tables. An attacker who controls the corrupted region can redirect execution to attacker-supplied shellcode or chain return-oriented programming (ROP) gadgets.
Because IrfanView is a common default image viewer on Windows, malicious DWG files delivered through phishing, file shares, or drive-by downloads can trigger the flaw with a single double-click.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119]. The DWG parser trusts length and offset fields embedded in the file rather than validating them against the actual size of allocated structures.
Attack Vector
Exploitation requires user interaction. The victim must open a malicious DWG file or visit a page that delivers one. The attack vector is local (AV:L), but delivery typically occurs through remote channels such as email attachments or attacker-controlled web pages. No authentication or elevated privileges are required.
The vulnerability mechanism is documented in the Zero Day Initiative Advisory ZDI-25-550. No public proof-of-concept exploit code has been released. The EPSS probability is 0.225 percent.
Detection Methods for CVE-2025-7303
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- DWG files arriving from untrusted email senders, web downloads, or removable media followed by IrfanView execution.
- Crashes or Windows Error Reporting events involving IrfanView and the CADIMAGE.DLL plugin module.
- Outbound network connections initiated by the IrfanView process to unknown hosts after opening a DWG file.
Detection Strategies
- Hunt for process trees where IrfanView spawns scripting interpreters, LOLBins, or unsigned binaries from %TEMP% or user profile directories.
- Inspect file write events where IrfanView creates executables, scheduled tasks, or autorun registry entries.
- Monitor for memory access violations and exception events generated by the CADImage Plugin module loaded inside IrfanView.
Monitoring Recommendations
- Forward endpoint telemetry, process creation events, and module load events to a centralized analytics platform for correlation against DWG file open activity.
- Alert on first-seen DWG files opened by users in finance, executive, or engineering roles where social engineering is most likely.
- Track installed versions of IrfanView and the CADImage Plugin across the fleet to identify unpatched hosts.
How to Mitigate CVE-2025-7303
Immediate Actions Required
- Inventory all systems running IrfanView and verify whether the CADImage Plugin is installed.
- Remove the CADImage Plugin from systems that do not require DWG support until a patched version is deployed.
- Block inbound DWG attachments at the email gateway or quarantine them for inspection.
- Train users to avoid opening unsolicited DWG files even when sent from internal addresses.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-550 and the CADSoftTools and IrfanView vendor sites for the latest plugin release. Apply the updated CADImage Plugin build that contains the fixed DWG parser as soon as it is available, and update IrfanView to the latest version.
Workarounds
- Uninstall or disable the CADImage Plugin (CADIMAGE.DLL) from the IrfanView Plugins directory if DWG rendering is not required.
- Disassociate the .dwg file extension from IrfanView in Windows so the format does not open automatically on double-click.
- Restrict IrfanView execution through application control policies on hosts that handle untrusted files.
# Remove the CADImage plugin from a default IrfanView installation
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"
del "C:\Program Files (x86)\IrfanView\Plugins\CADIMAGE.DLL"
# Remove the .dwg file association for the current user
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dwg\UserChoice" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

