CVE-2025-7304 Overview
CVE-2025-7304 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code when a user opens a malicious DWG file. The flaw resides in the plugin's DWG file parser, which fails to properly validate user-supplied data before processing it in memory. The Zero Day Initiative tracked this issue as ZDI-CAN-26385 and published advisory ZDI-25-551.
Exploitation requires user interaction. A target must open a crafted DWG file or visit a malicious page that delivers one. Successful exploitation gives the attacker code execution in the context of the IrfanView process.
Critical Impact
Attackers can execute arbitrary code in the context of the IrfanView process by tricking users into opening a malicious DWG file, leading to full compromise of the user's session.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations using the CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7304 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7304
Vulnerability Analysis
The vulnerability exists in the DWG file parsing logic of the CADImage plugin distributed for IrfanView. DWG is the native binary format used by AutoCAD and related computer-aided design (CAD) applications. The parser reads structured records describing geometry, layers, and metadata.
The plugin processes fields from the DWG file without sufficient bounds validation. When a crafted record specifies sizes or offsets outside expected ranges, the parser performs memory operations that corrupt adjacent structures on the heap or stack. The flaw is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer.
An attacker who controls the layout of corrupted memory can redirect execution flow. Because IrfanView typically runs with the privileges of the logged-on user, exploitation grants code execution at that privilege level.
Root Cause
The root cause is missing validation of attacker-controlled length or offset fields during DWG record deserialization. The parser trusts values embedded in the file rather than checking them against the actual buffer size before copying or indexing.
Attack Vector
The attack vector is local but user-driven. An attacker delivers a malicious DWG file through email attachments, file-sharing platforms, or a web page that prompts the user to open it. Once the user opens the file in IrfanView with the CADImage plugin loaded, parsing triggers the memory corruption automatically. No additional authentication or privileges are required from the attacker.
No public proof-of-concept exploit is currently listed for this CVE, and it is not present in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-7304
Indicators of Compromise
- Unexpected crashes of i_view32.exe or i_view64.exe shortly after opening files with .dwg extensions
- DWG files received from untrusted sources, particularly those with anomalous sizes or malformed headers
- Child processes spawned by IrfanView, such as cmd.exe, powershell.exe, or rundll32.exe, following the opening of a CAD file
- Outbound network connections initiated by the IrfanView process after document parsing
Detection Strategies
- Monitor process telemetry for IrfanView executables spawning command interpreters or scripting hosts
- Inspect Windows Error Reporting (WER) and crash dumps referencing the CADImage plugin module for repeated faults
- Flag DWG files arriving via email gateways or web downloads for sandbox detonation before user delivery
- Correlate file-open events on .dwg files with subsequent anomalous memory allocations or thread creations in the IrfanView process
Monitoring Recommendations
- Enable command-line and module-load logging on workstations that have IrfanView and the CADImage plugin installed
- Track installations and versions of the CADImage plugin across the environment to identify exposed endpoints
- Alert on IrfanView process activity that deviates from its normal behavior baseline, such as network egress or registry modification
- Forward endpoint telemetry to a central SIEM or data lake for retroactive hunting once vendor patch details are confirmed
How to Mitigate CVE-2025-7304
Immediate Actions Required
- Inventory all systems with IrfanView and the CADSoftTools CADImage plugin installed and prioritize them for remediation
- Restrict opening of DWG files from untrusted sources until a patched version of the CADImage plugin is installed
- Disable or remove the CADImage plugin on endpoints that do not require CAD file viewing
- Apply application allowlisting policies that prevent IrfanView from spawning interpreters or shells
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-551 for the latest vendor coordination status and patch availability from CADSoftTools and IrfanView. Apply the updated CADImage plugin version as soon as the vendor publishes a fixed release.
Workarounds
- Uninstall the CADImage plugin from IrfanView installations where DWG viewing is not required
- Block .dwg attachments at email gateways or quarantine them for sandbox analysis before delivery
- Configure file association policies so that .dwg files do not open in IrfanView by default
- Run IrfanView under a low-privilege user account and within an isolated workspace when handling external CAD files
# Example: remove DWG file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.dwg" /f
reg delete "HKCU\Software\Classes\IrfanView.DWG" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

