CVE-2025-7310 Overview
CVE-2025-7310 is a memory corruption vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution when parsing maliciously crafted DWG files. The flaw resides in the DWG file parser, which fails to properly validate user-supplied data before processing it. Attackers can leverage the issue to execute code in the context of the user running IrfanView. Exploitation requires user interaction: the target must open a malicious DWG file or visit a page that triggers the parser. The vulnerability is tracked as ZDI-CAN-26393 and was published to the National Vulnerability Database (NVD) on July 21, 2025.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the current user, leading to full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- IrfanView (x86 and x64) with the CADImage plugin installed
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7310 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7310
Vulnerability Analysis
The vulnerability is classified as a memory corruption flaw [CWE-119], improper restriction of operations within the bounds of a memory buffer. It manifests during DWG file parsing in the CADImage plugin loaded by IrfanView. The parser reads attacker-controlled fields from the DWG container without verifying lengths or offsets against the destination buffer. This permits an out-of-bounds write that corrupts adjacent memory structures.
The DWG format is a binary CAD drawing format containing nested records, headers, and object handles. Improper validation of these structure sizes allows a crafted record to cause the plugin to write past allocated buffers. An attacker who controls the corrupted memory can redirect execution flow and run arbitrary code in the IrfanView process.
Root Cause
The root cause is the absence of bounds validation on size and length fields extracted from the DWG file before they are used in memory operations. The CADImage plugin trusts the file-supplied values and uses them directly in copy or indexing routines. When the supplied length exceeds the destination buffer capacity, memory corruption occurs.
Attack Vector
Exploitation is local and requires user interaction. An attacker delivers a crafted .dwg file through email, a download link, or a web page. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser processes the malicious structures and triggers memory corruption. The resulting code runs with the privileges of the user running IrfanView.
No verified exploitation code is publicly available. See the Zero Day Initiative
advisory ZDI-25-556 for additional technical context on the DWG parsing flaw.
Detection Methods for CVE-2025-7310
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes or access violation events recorded in the Windows Application event log shortly after opening a .dwg file.
- Inbound .dwg files from untrusted email senders or web downloads followed by user execution.
Detection Strategies
- Monitor process creation telemetry for IrfanView spawning interpreters, scripting hosts, or network utilities.
- Inspect file-write events where IrfanView writes executable content (.exe, .dll, .ps1, .bat) to user-writable paths.
- Apply YARA rules against inbound .dwg attachments to flag anomalous record sizes or known crafted structures referenced in ZDI-25-556.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard or equivalent exploit mitigation telemetry to capture memory corruption events in IrfanView.
- Log all DWG file opens via endpoint detection and response (EDR) file-access auditing.
- Alert on outbound network connections originating from the IrfanView process tree.
How to Mitigate CVE-2025-7310
Immediate Actions Required
- Uninstall or disable the CADImage plugin from IrfanView until a patched version is confirmed installed.
- Block .dwg attachments at the email gateway for users who do not require CAD file handling.
- Restrict IrfanView execution to users with a documented business need for opening CAD files.
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Refer to the Zero Day Initiative Advisory ZDI-25-556 and the CADSoftTools and IrfanView vendor download pages for updated plugin releases addressing CVE-2025-7310.
Workarounds
- Remove the CADImage plugin files from the IrfanView Plugins directory to prevent DWG parsing.
- Configure file association policies so .dwg files do not open with IrfanView by default.
- Open untrusted CAD files only within an isolated virtual machine or sandboxed environment.
# Example: remove the CADImage plugin from a default IrfanView installation
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

