Skip to main content
CVE Vulnerability Database

CVE-2025-7306: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7306 is a remote code execution flaw in Cadsofttools Cadimage that allows attackers to execute arbitrary code through malicious DWG files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-7306 Overview

CVE-2025-7306 is a memory corruption vulnerability in the IrfanView CADImage plugin that allows attackers to execute arbitrary code when a user opens a malicious DWG file. The flaw resides in the plugin's DWG file parsing routines, which fail to properly validate user-supplied data. Exploitation requires user interaction, typically through opening a crafted file or visiting a malicious page that delivers one. Successful exploitation results in code execution within the context of the IrfanView process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26387 and assigned [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Attackers can execute arbitrary code in the context of the current process by tricking a user into opening a malicious DWG file in IrfanView.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations with the CADImage plugin
  • Windows systems processing DWG files via the CADImage plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7306 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7306

Vulnerability Analysis

The vulnerability exists in the DWG file parsing logic of the CADImage plugin used by IrfanView. DWG is a proprietary binary format used to store 2D and 3D CAD design data. The CADImage plugin extends IrfanView with the ability to render these files. Parsing the format requires interpreting numerous nested record structures, length fields, and offset tables, which creates a broad attack surface for malformed input.

When the plugin processes a crafted DWG file, it fails to enforce proper bounds on user-controlled fields before performing memory operations. This results in a memory corruption condition that an attacker can shape into control over execution flow. Because the plugin runs in-process inside i_view32.exe or i_view64.exe, any successful exploit inherits the privileges of the user running IrfanView.

Root Cause

The root cause is improper validation of user-supplied data inside the DWG parser, classified as [CWE-119]. Size or offset values read from the file are trusted without verification against the actual size of the allocated buffer or input stream. When these values exceed expected bounds, subsequent read or write operations corrupt adjacent memory. Attackers can use this primitive to overwrite function pointers, vtables, or return addresses to redirect execution.

Attack Vector

Exploitation requires user interaction. An attacker delivers a malicious .dwg file through email, a web download, a shared file location, or an embedded link. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser triggers the memory corruption and the attacker's payload executes with the user's privileges. No network listening service is involved, but the attack chain pairs cleanly with phishing campaigns targeting engineering, architecture, or design environments where DWG files are routine.

The vulnerability mechanism involves crafted length and offset fields inside the DWG header and section records. See the Zero Day Initiative Advisory ZDI-25-553 for the original technical details.

Detection Methods for CVE-2025-7306

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
  • IrfanView process crashes or access violations recorded in Windows Error Reporting when opening DWG files.
  • DWG files arriving from untrusted email senders or downloaded from unverified web sources.
  • Network connections originating from the IrfanView process to unfamiliar external hosts.

Detection Strategies

  • Monitor process creation events where IrfanView is the parent of scripting engines, LOLBins, or interpreter binaries.
  • Apply file integrity and reputation checks on .dwg attachments at email and web gateways.
  • Hunt for anomalous memory regions marked executable inside IrfanView processes using EDR telemetry.

Monitoring Recommendations

  • Enable command-line logging and Sysmon Event ID 1 and 11 to capture process lineage and file writes following DWG file opens.
  • Forward endpoint telemetry to a central SIEM or data lake and alert on IrfanView spawning interactive shells.
  • Track installation inventories of the CADImage plugin to scope affected endpoints during incident response.

How to Mitigate CVE-2025-7306

Immediate Actions Required

  • Update the CADImage plugin and IrfanView to the latest versions released after July 2025.
  • Restrict opening of DWG files from untrusted sources until patching is confirmed across the fleet.
  • Block or quarantine inbound .dwg attachments at email gateways pending validation.
  • Enforce least privilege so that IrfanView runs under standard user accounts, not administrative ones.

Patch Information

Review the Zero Day Initiative Advisory ZDI-25-553 and the CADSoftTools and IrfanView vendor download pages for the latest plugin and application releases. Apply the updated CADImage plugin to all IrfanView installations, including both x86 and x64 builds. Confirm patch deployment through software inventory tooling before relaxing temporary controls.

Workarounds

  • Uninstall the CADImage plugin from IrfanView if DWG rendering is not required.
  • Disassociate the .dwg file extension from IrfanView and route opens to a hardened, sandboxed CAD viewer.
  • Open untrusted DWG files only inside virtual machines or application sandboxes with no network access.
bash
# Configuration example: remove CADImage plugin DLL from IrfanView Plugins directory
cd "C:\Program Files\IrfanView\Plugins"
ren CADImage.dll CADImage.dll.disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.