CVE-2025-7311 Overview
CVE-2025-7311 is a memory corruption vulnerability in the IrfanView CADImage Plugin caused by improper validation of user-supplied data during DWG file parsing [CWE-119]. Attackers can leverage this flaw to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious DWG file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26395 and published as advisory ZDI-25-558. Both x86 and x64 builds of IrfanView with the CADImage Plugin are affected.
Critical Impact
Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling local compromise through a single malicious DWG file.
Affected Products
- IrfanView (x86 and x64)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7311 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7311
Vulnerability Analysis
The vulnerability resides in the DWG file parsing logic of the CADImage Plugin loaded by IrfanView. DWG is a proprietary binary format used by AutoCAD and other computer-aided design (CAD) tools, with a complex structure of section headers, object maps, and length-prefixed records. When the plugin processes a crafted DWG file, it fails to validate user-supplied size or offset fields before using them to access memory buffers. The resulting memory corruption [CWE-119] allows an attacker to overwrite adjacent memory structures and hijack control flow within the IrfanView process.
Because the plugin runs in-process, code executes with the privileges of the user opening the file. On workstations where users routinely interact with engineering or design documents, this provides a reliable initial-access primitive through phishing or drive-by file delivery.
Root Cause
The root cause is the lack of proper bounds and structure validation on attacker-controlled fields inside the DWG file. Parsing routines trust embedded length and offset values, leading to out-of-bounds memory access and corruption of process memory.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious .dwg file through email, a web download, a shared drive, or a watering-hole page. When the victim opens the file in IrfanView with the CADImage Plugin installed, the malformed DWG triggers the memory corruption and executes the attacker's payload.
No authenticated network access is needed, and exploitation does not require elevated privileges on the target host. See the Zero Day Initiative Advisory ZDI-25-558 for additional technical context.
Detection Methods for CVE-2025-7311
Indicators of Compromise
- DWG files arriving from untrusted email senders, web downloads, or external file shares that are opened by i_view32.exe or i_view64.exe.
- Unexpected child processes spawned by IrfanView, such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes with access violation exceptions when handling DWG files, indicating attempted or failed exploitation.
Detection Strategies
- Monitor for IrfanView processes loading the CADImage plugin DLL and subsequently performing network connections or writing executables to disk.
- Alert on DWG files opened from temporary internet directories, mail client attachment caches, or browser download folders.
- Hunt for command-line creation events where the parent process is IrfanView and the child is a scripting interpreter or LOLBin.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard or equivalent process-mitigation telemetry for IrfanView to capture memory corruption signals.
- Forward endpoint process, image-load, and file-write telemetry to a centralized analytics platform and retain at least 30 days of history.
- Track CADImage Plugin version inventory across endpoints to identify hosts still running vulnerable builds.
How to Mitigate CVE-2025-7311
Immediate Actions Required
- Apply the latest CADImage Plugin update from CADSoftTools and the latest IrfanView release as soon as fixed builds are available.
- Remove or disable the CADImage Plugin on endpoints that do not require DWG support in IrfanView.
- Block inbound .dwg attachments at the email gateway for users who do not have a business need to receive CAD files.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-558 and the CADSoftTools and IrfanView vendor download pages for the corrected plugin and host application versions. Verify the installed plugin DLL version on each endpoint after deployment to confirm remediation.
Workarounds
- Uninstall the CADImage Plugin until a patched version can be deployed.
- Restrict IrfanView execution to a dedicated, low-privilege user account and prohibit opening DWG files from untrusted sources.
- Configure file-type associations so that DWG files do not open in IrfanView by default, reducing the likelihood of accidental invocation.
# Configuration example: remove the CADImage plugin DLL from an IrfanView install
# Adjust the path to match your IrfanView Plugins directory
set PLUGIN_DIR="C:\Program Files\IrfanView\Plugins"
if exist "%PLUGIN_DIR%\CADImage.dll" (
ren "%PLUGIN_DIR%\CADImage.dll" "CADImage.dll.disabled"
)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

