Skip to main content
CVE Vulnerability Database

CVE-2025-7305: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7305 is a remote code execution flaw in Cadsofttools Cadimage that allows attackers to execute arbitrary code through malicious DWG files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-7305 Overview

CVE-2025-7305 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the parsing logic for DWG files and allows arbitrary code execution in the context of the current process. Exploitation requires user interaction — the target must open a malicious DWG file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26386 and is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the IrfanView process, enabling attackers to install malware, exfiltrate data, or pivot deeper into the host.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations using the CADImage plugin
  • Workstations processing DWG CAD files through IrfanView

Discovery Timeline

  • 2025-07-21 - CVE-2025-7305 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7305

Vulnerability Analysis

The CADImage plugin extends IrfanView with support for CAD file formats including DWG. When the plugin parses a crafted DWG file, it fails to properly validate fields supplied within the file structure. This missing validation produces a memory corruption condition during parsing. Attackers control the corrupted memory contents and can steer execution flow into attacker-supplied data. Because IrfanView runs in user context on the desktop, code executes with the privileges of the logged-in user. The attack vector is local and requires user interaction, but DWG files are routinely shared by email, file shares, and web downloads in engineering and architecture environments.

Root Cause

The root cause is improper validation of user-supplied data within DWG file parsing routines in the CADImage plugin. The parser trusts size, offset, or structural fields from the file without bounds checking, leading to out-of-bounds memory access classified under [CWE-119].

Attack Vector

An attacker delivers a malicious DWG file to a victim through email attachments, drive-by download, or a shared file location. When the victim opens the file in IrfanView with the CADImage plugin installed, the malformed DWG triggers memory corruption and executes attacker-controlled shellcode in the IrfanView process.

No public proof-of-concept code is available. Technical specifics are described in the Zero Day Initiative Advisory ZDI-25-552.

Detection Methods for CVE-2025-7305

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command shells, scripting hosts, or rundll32.exe
  • DWG files opened from temporary internet directories, email attachment caches, or untrusted download paths
  • Crashes of IrfanView correlating with DWG file open events in Windows Application event logs
  • Outbound network connections originating from the IrfanView process

Detection Strategies

  • Hunt for process lineage where IrfanView is the parent of interpreters such as powershell.exe, cmd.exe, or wscript.exe
  • Alert on memory protection violations or unhandled exceptions in IrfanView modules tied to CADImage.dll
  • Inspect DWG files for anomalous header fields or oversized structural records before they reach end-user workstations

Monitoring Recommendations

  • Enable command-line and process-creation logging on workstations that handle CAD files
  • Capture file-write telemetry from IrfanView to detect post-exploitation payload drops in user profile directories
  • Correlate IrfanView crashes with subsequent persistence indicators such as Run key modifications or scheduled task creation

How to Mitigate CVE-2025-7305

Immediate Actions Required

  • Inventory all endpoints running IrfanView with the CADImage plugin installed
  • Restrict opening of DWG files from untrusted sources until a patched plugin version is deployed
  • Apply application-control policies to block execution of the CADImage plugin where DWG support is not required

Patch Information

No vendor patch URL is listed in the NVD record at the time of writing. Refer to the Zero Day Initiative Advisory ZDI-25-552 for vendor coordination status and update CADSoftTools CADImage to the latest version distributed for IrfanView once available.

Workarounds

  • Uninstall or disable the CADImage plugin on endpoints that do not require DWG support in IrfanView
  • Associate DWG files with a dedicated, sandboxed CAD viewer instead of IrfanView
  • Train users to avoid opening DWG attachments from unknown senders and route CAD files through a content disarm and reconstruction workflow
bash
# Remove the CADImage plugin DLL from a standard IrfanView installation
# Adjust the path for x86 vs x64 installs
del "%ProgramFiles%\IrfanView\Plugins\CADImage.dll"
del "%ProgramFiles(x86)%\IrfanView\Plugins\CADImage.dll"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.