CVE-2025-7312 Overview
CVE-2025-7312 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin developed by CadSoftTools. The flaw resides in the plugin's DWG file parsing logic and allows attackers to execute arbitrary code in the context of the current process. Exploitation requires a user to open a crafted DWG file or visit a malicious page that delivers one. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26398 and disclosed in advisory ZDI-25-559.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling full compromise of the host application context.
Affected Products
- CadSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) installations using the CADImage plugin
- Workstations that automatically render DWG previews through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7312 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
- Reported through the Zero Day Initiative as ZDI-CAN-26398, published as Zero Day Initiative Advisory ZDI-25-559
Technical Details for CVE-2025-7312
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the CADImage plugin's DWG parser. The plugin fails to validate length or offset fields embedded inside a DWG file before reading from an internally allocated buffer. When a malformed DWG is loaded, the parser reads past the end of the allocated region. The leaked memory and corrupted parser state can be combined with controlled file structures to redirect execution flow. According to the Zero Day Initiative advisory, the resulting primitive is sufficient to achieve arbitrary code execution within the IrfanView process.
Root Cause
The defect stems from missing bounds validation on attacker-controlled fields parsed from the DWG container. The plugin trusts size and offset values supplied by the file and uses them directly in read operations against a fixed-size buffer. Without a sanity check comparing requested offsets against the allocated buffer length, the parser dereferences memory outside the intended object.
Attack Vector
An attacker delivers a malicious DWG file through email, a web download, a shared drive, or a drive-by page that prompts the user to open it. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser triggers the out-of-bounds read and the embedded exploit payload executes in the IrfanView process context. Exploitation requires user interaction and operates at the local attack scope.
No public proof-of-concept is currently available. For technical specifics refer to the Zero Day Initiative Advisory ZDI-25-559.
Detection Methods for CVE-2025-7312
Indicators of Compromise
- DWG files arriving from untrusted email senders, web downloads, or external shares that are opened directly by i_view32.exe or i_view64.exe.
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- Access violation or crash events referencing the CADImage plugin DLL in the Windows Application event log.
Detection Strategies
- Hunt for IrfanView processes loading the CADImage plugin module followed by network connections to untrusted destinations.
- Alert on IrfanView spawning interpreters, script hosts, or LOLBins immediately after a DWG file is opened.
- Inspect email and web gateways for DWG attachments and correlate with subsequent IrfanView execution telemetry.
Monitoring Recommendations
- Enable EDR module-load and image-load telemetry for IrfanView binaries to capture CADImage plugin activity.
- Forward Windows Error Reporting and application crash dumps for IrfanView to a central log store for triage.
- Track file-open events for .dwg extensions tied to IrfanView and review them against download provenance.
How to Mitigate CVE-2025-7312
Immediate Actions Required
- Inventory endpoints with IrfanView and the CADImage plugin installed and prioritize hosts that process untrusted CAD files.
- Disable or uninstall the CADImage plugin until a fixed version is confirmed installed.
- Block inbound .dwg attachments at the mail gateway and require sandbox inspection for CAD files from external sources.
- Restrict the file associations so IrfanView is not the default handler for DWG content originating from the internet.
Patch Information
No vendor patch URL is referenced in the NVD record at the time of writing. Monitor the Zero Day Initiative Advisory ZDI-25-559 and the CadSoftTools and IrfanView download pages for updated CADImage plugin builds, and apply the fixed version once published.
Workarounds
- Remove the CADImage plugin DLL from the IrfanView Plugins directory if DWG support is not required.
- Run IrfanView under a standard user account with Windows Defender Exploit Protection enabled to limit post-exploitation impact.
- Use a dedicated, network-isolated workstation or virtual machine for opening DWG files received from external parties.
# Configuration example: remove the CADImage plugin from a Windows host
cd "C:\Program Files\IrfanView\Plugins"
ren CADIMAGE.DLL CADIMAGE.DLL.disabled
# Block DWG attachments at an Exchange transport rule (PowerShell)
New-TransportRule -Name "Block-DWG-Inbound" \
-FromScope NotInOrganization \
-AttachmentExtensionMatchesWords "dwg" \
-RejectMessageReasonText "DWG attachments are blocked pending CVE-2025-7312 remediation"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

