Skip to main content
CVE Vulnerability Database

CVE-2025-7313: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7313 is a remote code execution flaw in Cadsofttools Cadimage that enables attackers to execute arbitrary code via malicious DWG files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7313 Overview

CVE-2025-7313 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's DWG file parsing logic and allows attackers to execute arbitrary code in the context of the current process. Exploitation requires user interaction, such as opening a malicious DWG file or visiting a page that delivers one. The vulnerability was reported through the Trend Micro Zero Day Initiative under identifier ZDI-CAN-26399. It is classified under [CWE-119] for improper restriction of operations within the bounds of a memory buffer.

Critical Impact

Successful exploitation grants arbitrary code execution with the privileges of the user running IrfanView, enabling malware deployment, credential theft, or lateral movement.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations that load the CADImage Plugin
  • Windows systems processing DWG files via the affected plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7313 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7313

Vulnerability Analysis

The vulnerability exists in the DWG file parsing routine of the CADImage Plugin, which extends IrfanView with AutoCAD file support. The plugin fails to properly validate user-supplied data embedded in DWG files before using it in memory operations. This missing validation produces a memory corruption condition that an attacker can shape into arbitrary code execution. Because the plugin runs in-process with IrfanView, successful exploitation yields code execution at the privilege level of the current user.

The issue is tracked under [CWE-119], which covers improper restriction of operations within the bounds of a memory buffer. EPSS data reports a low probability of observed exploitation at the time of publication, but the technical prerequisites for exploitation are straightforward once a malicious DWG file is delivered.

Root Cause

The root cause is insufficient bounds and structure validation of attacker-controlled fields inside the DWG container. DWG is a binary format with multiple length-prefixed sections and object records. When the parser trusts a size, offset, or object count from the file without cross-checking against buffer boundaries, subsequent read or write operations overflow adjacent memory. Attackers use this to overwrite structured exception handlers, virtual function pointers, or heap metadata.

Attack Vector

The attack vector is local file processing with required user interaction. An attacker crafts a malicious DWG file and delivers it through phishing email, a compromised website, a shared drive, or a supply-chain document. The victim opens the file with IrfanView, which loads the CADImage Plugin to render the CAD content. Parsing the malformed structures triggers memory corruption inside the plugin. The attacker's shellcode then executes with the user's privileges, enabling persistence, credential harvesting, or follow-on exploitation.

Refer to the Zero Day Initiative Advisory ZDI-25-560 for the vendor-coordinated disclosure and additional technical context.

Detection Methods for CVE-2025-7313

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe
  • IrfanView process crashes with access violation exceptions immediately after opening a .dwg file
  • DWG files arriving via email attachments or downloads from untrusted sources, especially with anomalous file sizes or mismatched headers
  • Outbound network connections initiated by IrfanView following DWG file interaction

Detection Strategies

  • Monitor process creation events where the parent image is IrfanView and the child image is a shell or scripting interpreter
  • Alert on Windows Error Reporting entries or crash dumps referencing the CADImage Plugin module (CADImage.dll) with heap or stack corruption signatures
  • Inspect email gateways and web proxies for DWG attachments and downloads, correlating with recipient endpoints that have IrfanView installed
  • Apply YARA rules that identify malformed DWG headers or oversized section lengths inconsistent with legitimate AutoCAD output

Monitoring Recommendations

  • Enable detailed process command-line logging and PowerShell script block logging on endpoints where IrfanView is deployed
  • Ingest endpoint telemetry into a centralized analytics platform to correlate IrfanView activity with subsequent suspicious behavior
  • Track file writes by IrfanView to %APPDATA%, %TEMP%, and startup locations, which indicate post-exploitation persistence
  • Maintain an inventory of hosts running IrfanView and the CADImage Plugin to scope monitoring and patching activity

How to Mitigate CVE-2025-7313

Immediate Actions Required

  • Update the CADImage Plugin to the latest version distributed by CADSoftTools as referenced in the ZDI-25-560 advisory
  • Update IrfanView to the current release from the official vendor
  • Restrict DWG file handling to trusted sources and block DWG attachments at the email gateway where operationally feasible
  • Instruct users not to open DWG files received from unknown or untrusted senders

Patch Information

CADSoftTools coordinated the fix through the Zero Day Initiative under advisory ZDI-25-560. Administrators should obtain the updated CADImage Plugin directly from CADSoftTools and verify the installed version on all endpoints running IrfanView. No vendor patch URL is enumerated in the NVD record beyond the ZDI advisory reference.

Workarounds

  • Uninstall or disable the CADImage Plugin on systems that do not require DWG rendering in IrfanView
  • Remove file associations that automatically open .dwg files with IrfanView, forcing manual selection of a viewer
  • Deploy application control policies that prevent IrfanView from spawning shell interpreters or writing to persistence locations
  • Route CAD file review through a dedicated, isolated workstation or sandbox rather than general-purpose user endpoints

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.