Skip to main content
CVE Vulnerability Database

CVE-2025-7308: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7308 is a remote code execution flaw in Cadsofttools Cadimage that exploits DWG file parsing to trigger memory corruption. Attackers can execute arbitrary code when users open malicious files. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-7308 Overview

CVE-2025-7308 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CadSoftTools. The flaw exists in the plugin's DWG file parsing logic and allows attackers to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious DWG file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26389 and tracked in advisory ZDI-25-555. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling malware deployment, credential theft, and lateral movement.

Affected Products

  • CadSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
  • IrfanView image viewer (x86 and x64 builds) when the CADImage plugin is installed
  • All versions prior to the vendor-supplied fix

Discovery Timeline

  • 2025-07-21 - CVE-2025-7308 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7308

Vulnerability Analysis

The CADImage plugin extends IrfanView with support for AutoCAD DWG, DXF, and related CAD formats. DWG is a complex binary container with nested object records, variable-length headers, and length-prefixed structures. The plugin parses these structures when a user opens a CAD file inside IrfanView.

CVE-2025-7308 stems from missing validation of attacker-controlled fields embedded in the DWG file. When the plugin processes a crafted record, the parser operates on memory regions outside the bounds of the intended buffer. This produces a memory corruption condition that an attacker can shape into arbitrary code execution.

Because IrfanView is widely deployed on Windows workstations and frequently associated with image and CAD file extensions, a single malicious attachment delivered through email, chat, or a drive-by download is sufficient to trigger the flaw.

Root Cause

The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] inside the DWG parsing routines of the CADImage plugin. User-supplied size, offset, or count fields are trusted without verification against the actual allocation size, allowing reads or writes past buffer boundaries.

Attack Vector

The attack vector is local file processing combined with social engineering. An attacker hosts or distributes a malicious .dwg file and convinces the victim to open it in IrfanView. The vulnerability does not require authentication or network access to the target. Once the file is opened, parsing executes automatically and the corrupted memory state can be redirected to attacker-controlled code.

No public proof-of-concept exploit is currently listed for CVE-2025-7308, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog. Refer to the Zero Day Initiative Advisory ZDI-25-555 for additional technical context.

Detection Methods for CVE-2025-7308

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe
  • Crash events or Windows Error Reporting entries referencing the CADImage plugin DLL while opening DWG files
  • DWG files arriving through email, instant messaging, or browser downloads from untrusted senders
  • Outbound network connections initiated by the IrfanView process shortly after a CAD file is opened

Detection Strategies

  • Monitor process creation telemetry for IrfanView spawning script interpreters or LOLBins, which is anomalous for an image viewer
  • Hunt for module loads of the CADImage plugin followed by access violations or heap corruption signals in the same process
  • Inspect file-open telemetry for .dwg, .dxf, and related CAD extensions handled by IrfanView on user endpoints
  • Correlate Microsoft Defender or EDR memory-protection events with the IrfanView process image path

Monitoring Recommendations

  • Centralize endpoint process and module-load events to a SIEM or data lake to enable retrospective hunts as new indicators emerge
  • Alert on first-seen execution of CADImage plugin DLLs on hosts that historically did not load them
  • Track file-write events from IrfanView to user-writable locations such as %TEMP% and %APPDATA% immediately after CAD parsing

How to Mitigate CVE-2025-7308

Immediate Actions Required

  • Update the IrfanView CADImage plugin to the latest version provided by CadSoftTools as soon as a fixed build is available
  • Remove the CADImage plugin from endpoints that do not require CAD viewing capability
  • Block inbound .dwg and .dxf attachments at the email gateway when CAD files are not a business requirement
  • Train users to avoid opening unsolicited CAD files and to verify the sender before processing attachments

Patch Information

CadSoftTools distributes the CADImage plugin separately from IrfanView. Administrators should obtain the most recent plugin installer directly from the vendor and verify the version after deployment. The Zero Day Initiative coordinated disclosure with the vendor; consult ZDI-25-555 for advisory status and reference the NVD entry for CVE-2025-7308 for the current fixed version field.

Workarounds

  • Uninstall the CADImage plugin until a patched release is verified in your environment
  • Disassociate .dwg and .dxf file extensions from IrfanView so the parser is not invoked on double-click
  • Restrict IrfanView execution to a low-privilege user account and apply application allowlisting to prevent child-process abuse
  • Use a dedicated, sandboxed CAD viewer for files received from external parties
bash
# Windows: remove DWG file association from IrfanView (run as administrator)
assoc .dwg=
ftype IrfanView.DWG=

# Verify CADImage plugin DLL presence and version
Get-ChildItem -Path "C:\Program Files\IrfanView\Plugins\" -Filter "CADImage*.dll" |
  Select-Object Name, VersionInfo

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.