Skip to main content
CVE Vulnerability Database

CVE-2025-7311: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7311 is a remote code execution vulnerability in IrfanView CADImage Plugin affecting DWG file parsing. Attackers can exploit memory corruption to execute arbitrary code. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-7311 Overview

CVE-2025-7311 is a memory corruption vulnerability in the IrfanView CADImage Plugin caused by improper validation of user-supplied data during DWG file parsing [CWE-119]. Attackers can leverage this flaw to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious DWG file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26395 and published as advisory ZDI-25-558. Both x86 and x64 builds of IrfanView with the CADImage Plugin are affected.

Critical Impact

Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling local compromise through a single malicious DWG file.

Affected Products

  • IrfanView (x86 and x64)
  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7311 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7311

Vulnerability Analysis

The vulnerability resides in the DWG file parsing logic of the CADImage Plugin loaded by IrfanView. DWG is a proprietary binary format used by AutoCAD and other computer-aided design (CAD) tools, with a complex structure of section headers, object maps, and length-prefixed records. When the plugin processes a crafted DWG file, it fails to validate user-supplied size or offset fields before using them to access memory buffers. The resulting memory corruption [CWE-119] allows an attacker to overwrite adjacent memory structures and hijack control flow within the IrfanView process.

Because the plugin runs in-process, code executes with the privileges of the user opening the file. On workstations where users routinely interact with engineering or design documents, this provides a reliable initial-access primitive through phishing or drive-by file delivery.

Root Cause

The root cause is the lack of proper bounds and structure validation on attacker-controlled fields inside the DWG file. Parsing routines trust embedded length and offset values, leading to out-of-bounds memory access and corruption of process memory.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a malicious .dwg file through email, a web download, a shared drive, or a watering-hole page. When the victim opens the file in IrfanView with the CADImage Plugin installed, the malformed DWG triggers the memory corruption and executes the attacker's payload.

No authenticated network access is needed, and exploitation does not require elevated privileges on the target host. See the Zero Day Initiative Advisory ZDI-25-558 for additional technical context.

Detection Methods for CVE-2025-7311

Indicators of Compromise

  • DWG files arriving from untrusted email senders, web downloads, or external file shares that are opened by i_view32.exe or i_view64.exe.
  • Unexpected child processes spawned by IrfanView, such as cmd.exe, powershell.exe, or rundll32.exe.
  • IrfanView process crashes with access violation exceptions when handling DWG files, indicating attempted or failed exploitation.

Detection Strategies

  • Monitor for IrfanView processes loading the CADImage plugin DLL and subsequently performing network connections or writing executables to disk.
  • Alert on DWG files opened from temporary internet directories, mail client attachment caches, or browser download folders.
  • Hunt for command-line creation events where the parent process is IrfanView and the child is a scripting interpreter or LOLBin.

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard or equivalent process-mitigation telemetry for IrfanView to capture memory corruption signals.
  • Forward endpoint process, image-load, and file-write telemetry to a centralized analytics platform and retain at least 30 days of history.
  • Track CADImage Plugin version inventory across endpoints to identify hosts still running vulnerable builds.

How to Mitigate CVE-2025-7311

Immediate Actions Required

  • Apply the latest CADImage Plugin update from CADSoftTools and the latest IrfanView release as soon as fixed builds are available.
  • Remove or disable the CADImage Plugin on endpoints that do not require DWG support in IrfanView.
  • Block inbound .dwg attachments at the email gateway for users who do not have a business need to receive CAD files.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-558 and the CADSoftTools and IrfanView vendor download pages for the corrected plugin and host application versions. Verify the installed plugin DLL version on each endpoint after deployment to confirm remediation.

Workarounds

  • Uninstall the CADImage Plugin until a patched version can be deployed.
  • Restrict IrfanView execution to a dedicated, low-privilege user account and prohibit opening DWG files from untrusted sources.
  • Configure file-type associations so that DWG files do not open in IrfanView by default, reducing the likelihood of accidental invocation.
bash
# Configuration example: remove the CADImage plugin DLL from an IrfanView install
# Adjust the path to match your IrfanView Plugins directory
set PLUGIN_DIR="C:\Program Files\IrfanView\Plugins"
if exist "%PLUGIN_DIR%\CADImage.dll" (
    ren "%PLUGIN_DIR%\CADImage.dll" "CADImage.dll.disabled"
)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.