CVE-2025-7309 Overview
CVE-2025-7309 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw exists in the plugin's DWG file parsing logic and allows attackers to execute arbitrary code in the context of the current user. Exploitation requires user interaction: the victim must open a crafted DWG file or visit a malicious page that delivers one. The issue is tracked as ZDI-CAN-26391 and was published by the Zero Day Initiative as advisory ZDI-25-557. The weakness is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DWG file processed by the CADImage plugin can corrupt memory and yield arbitrary code execution under the IrfanView process context, leading to full user-level compromise.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations using the CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7309 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7309
Vulnerability Analysis
The vulnerability resides in the DWG file parser shipped with the CADImage plugin. DWG is a proprietary binary format used by AutoCAD and compatible CAD applications. When IrfanView loads a DWG file through CADImage, the plugin parses structured records describing geometry, headers, and object tables. The plugin fails to properly validate user-supplied data inside these records before using it in memory operations.
An attacker who controls the contents of a DWG file can influence size or offset fields consumed by the parser. The resulting memory corruption can be steered into arbitrary code execution within the IrfanView process. Exploitation does not require authentication, but the user must open the malicious file or visit a page that triggers the file handler.
Root Cause
The root cause is missing validation of attacker-controlled fields in the DWG parsing routine. The plugin assumes structural integrity of the input file and operates on length or index values without bounds checks, satisfying the CWE-119 classification.
Attack Vector
The attack vector is local file processing with required user interaction. Delivery channels typically include email attachments, drive-by downloads, file-sharing services, and malicious links that prompt users to open a .dwg file in IrfanView. Once parsing begins, no further interaction is needed for the memory corruption to occur.
No public proof-of-concept code is associated with this CVE. Technical details are described in prose only; see the Zero Day Initiative Advisory ZDI-25-557 for vendor-coordinated details.
Detection Methods for CVE-2025-7309
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters, scripting hosts, or network utilities.
- Crashes or exception events in IrfanView correlated with opening .dwg files from untrusted sources.
- DWG files arriving via email, chat, or web download that immediately trigger CAD plugin activity on workstations without a CAD workflow.
Detection Strategies
- Monitor process creation telemetry for IrfanView executables spawning non-image-handling children, which is anomalous for a viewer.
- Inspect file write and module load events for CADImage.dll or related plugin binaries loading inside IrfanView when DWG files are opened.
- Hunt for outbound network connections initiated by IrfanView processes shortly after a DWG file open event.
Monitoring Recommendations
- Centralize endpoint telemetry from workstations that have IrfanView installed and forward process, file, and module-load events to a SIEM or data lake.
- Alert on user-mode crashes (WerFault.exe events) referencing IrfanView modules, which can indicate exploitation attempts or unstable malicious files.
- Track inbound DWG attachments through email security gateways and correlate with endpoint open events.
How to Mitigate CVE-2025-7309
Immediate Actions Required
- Update the CADImage plugin to the latest version published by CADSoftTools that addresses ZDI-25-557.
- Inventory endpoints with IrfanView and the CADImage plugin installed, prioritizing systems that handle external CAD files.
- Block or quarantine inbound .dwg attachments from untrusted senders at the email gateway until patching is verified.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-557 for vendor coordination details and patched plugin versions. No vendor advisory URL is listed in the NVD record at the time of publication, so administrators should obtain the updated plugin directly from CADSoftTools and confirm the installed CADImage build on each endpoint.
Workarounds
- Remove or disable the CADImage plugin in IrfanView if DWG support is not required for business operations.
- Restrict file association so that .dwg files do not open in IrfanView by default on user workstations.
- Open untrusted DWG files only inside an isolated sandbox or virtual machine until patches are applied.
# Configuration example: remove CADImage plugin DLL from an IrfanView install
# Run as administrator on each affected endpoint
set IV_DIR="C:\Program Files\IrfanView\Plugins"
del /F /Q %IV_DIR%\CADImage.dll
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

