CVE-2025-7307 Overview
CVE-2025-7307 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CadSoftTools. The flaw exists in the plugin's handling of DWG files and stems from insufficient validation of user-supplied data during parsing. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction, meaning the target must open a malicious DWG file or visit a malicious page that delivers one. The vulnerability is tracked as ZDI-CAN-26388 by the Zero Day Initiative and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DWG file processed by IrfanView with the CADImage Plugin enables arbitrary code execution under the user's privileges.
Affected Products
- CadSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with the CADImage Plugin installed
- Windows systems where users open untrusted DWG files in IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7307 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7307
Vulnerability Analysis
The vulnerability resides in the DWG file parser implemented within the CADImage Plugin for IrfanView. DWG is a proprietary binary format used by AutoCAD and other computer-aided design (CAD) tools. The CADImage Plugin extends IrfanView so it can render DWG content directly inside the image viewer. When the parser processes structures embedded in a malformed DWG file, it fails to validate certain length or offset fields supplied by the attacker. The resulting memory corruption condition allows an attacker-controlled write that can be steered toward code execution within the IrfanView process.
Root Cause
The root cause is improper bounds checking during deserialization of DWG file structures, classified as [CWE-119]. Attacker-controlled values from the file are used to drive memory operations without sufficient validation, breaking the expected boundary constraints of the underlying buffer.
Attack Vector
Exploitation requires user interaction. An attacker delivers a weaponized DWG file through email, a download link, a network share, or an embedded web resource. When the victim opens the file in IrfanView with the CADImage Plugin loaded, the parser triggers the memory corruption. Code then executes with the privileges of the logged-on user. Although the CVSS attack vector is local, file-based delivery through phishing or drive-by download remains a realistic distribution channel.
No verified proof-of-concept code is publicly available. Technical details are tracked in the Zero Day Initiative Advisory ZDI-25-554.
Detection Methods for CVE-2025-7307
Indicators of Compromise
- DWG files received from untrusted email senders, file shares, or web downloads that target users with IrfanView installed.
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- Crash dumps or Windows Error Reporting events involving the CADImage Plugin DLL while parsing DWG content.
Detection Strategies
- Monitor endpoint telemetry for IrfanView processes loading the CADImage Plugin and immediately launching scripting or living-off-the-land binaries.
- Inspect file write and network activity originating from the IrfanView process after a DWG file is opened.
- Apply YARA or file-format inspection rules at the email gateway to flag DWG attachments sent to standard user mailboxes.
Monitoring Recommendations
- Enable command-line and module load auditing on Windows endpoints running IrfanView to capture plugin activity.
- Centralize endpoint, email, and proxy telemetry in a SIEM or data lake to correlate DWG delivery with downstream process activity.
- Track installed versions of IrfanView and the CADImage Plugin through software inventory tooling to identify unpatched systems.
How to Mitigate CVE-2025-7307
Immediate Actions Required
- Update the CADImage Plugin and IrfanView to the latest versions provided by CadSoftTools and IrfanView once a fix addressing CVE-2025-7307 is published.
- Restrict opening of DWG files from untrusted sources and block DWG attachments at the email gateway where business processes allow.
- Audit endpoints to identify hosts where the CADImage Plugin is installed and prioritize them for patching.
Patch Information
No vendor advisory URL is listed in the enriched NVD data at the time of writing. Refer to the Zero Day Initiative Advisory ZDI-25-554 for coordinated disclosure status and consult the CadSoftTools and IrfanView download pages for fixed plugin and application releases.
Workarounds
- Uninstall or disable the CADImage Plugin if DWG rendering inside IrfanView is not required.
- Associate .dwg files with a sandboxed or read-only viewer instead of IrfanView until the plugin is patched.
- Run IrfanView as a standard user with no administrative rights to limit the impact of successful exploitation.
# Configuration example: remove the CADImage Plugin DLL from an IrfanView install
# Adjust the path to match the local installation directory
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

