Skip to main content
CVE Vulnerability Database

CVE-2025-7314: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7314 is a remote code execution flaw in IrfanView CADImage Plugin that exploits DWG file parsing to trigger memory corruption. This guide covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7314 Overview

CVE-2025-7314 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw resides in the parser that handles AutoCAD Drawing (DWG) files and stems from missing validation of user-supplied data [CWE-119]. An attacker who convinces a user to open a crafted DWG file, or to visit a page that serves one, can corrupt memory and execute arbitrary code in the context of the IrfanView process. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26400 and published as advisory ZDI-25-561.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling full compromise of the user account and persistence on the host.

Affected Products

  • IrfanView (x86 and x64 builds shipping with the CADImage Plugin)
  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7314 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7314

Vulnerability Analysis

The vulnerability lives inside the CADImage Plugin, a third-party module that adds AutoCAD format support to IrfanView. When the plugin parses a DWG file, it processes attacker-controlled structures without enforcing bounds on offsets, sizes, or record counts. A crafted file drives the parser into a memory corruption state classified as [CWE-119] Improper Restriction of Operations within the Bounds of a Memory Buffer.

Because IrfanView typically registers the plugin as the handler for DWG and related CAD formats, the file extension alone is enough to route untrusted input into the vulnerable code path. The vulnerability requires user interaction: the victim must open a malicious DWG file or browse to a page that delivers one through the browser's file association. No authentication is required, and exploitation does not depend on elevated privileges.

An attacker who controls the corrupted memory region can pivot to arbitrary code execution under the security context of the current user. On systems where users run with administrative tokens, this provides immediate full control of the workstation.

Root Cause

The root cause is missing validation of fields embedded in DWG records before they are used to index, copy, or allocate buffers inside the CADImage parser. The parser trusts size and offset values from the file without verifying that they fit within the allocated structures.

Attack Vector

The attack is local with required user interaction. Typical delivery vectors include phishing email attachments, drive-by downloads, watering-hole pages serving crafted DWG files, and shared file servers that store CAD assets. Once the user opens the file in IrfanView, the malicious payload runs without any further prompt. Refer to the Zero Day Initiative Advisory ZDI-25-561 for the technical writeup published by the reporting researcher.

No public proof-of-concept exploit is available at this time, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-7314

Indicators of Compromise

  • DWG files received from untrusted sources, especially via email or web download, that are opened directly by i_view32.exe or i_view64.exe.
  • Unexpected child processes spawned by IrfanView, such as cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe.
  • Crash dumps from IrfanView referencing the CADImage plugin module during DWG parsing.
  • Outbound network connections initiated by IrfanView immediately after a DWG file is opened.

Detection Strategies

  • Hunt for process lineage where IrfanView is the parent of an interpreter or LOLBin, which is highly unusual for an image viewer.
  • Alert on writes to autorun locations (Run keys, Startup folder, Scheduled Tasks) where the originating process tree contains IrfanView.
  • Monitor file-open telemetry for DWG and related CAD extensions handled by hosts that do not have a legitimate CAD workflow.

Monitoring Recommendations

  • Enable Windows Defender Application Control or AppLocker logging to capture image loads of the CADImage plugin DLL alongside IrfanView.
  • Forward EDR process, file, and module-load events to a SIEM and pivot on IrfanView as a parent process.
  • Subscribe to vendor advisories from IrfanView and CADSoftTools to track patched plugin versions.

How to Mitigate CVE-2025-7314

Immediate Actions Required

  • Update the IrfanView CADImage Plugin to the latest version published by CADSoftTools on hosts that require DWG support.
  • Remove the CADImage Plugin from IrfanView installations that do not require CAD file rendering.
  • Block inbound DWG attachments at the email gateway and quarantine DWG downloads from untrusted web origins.
  • Instruct users not to open DWG files from unknown senders and to verify provenance before opening CAD content.

Patch Information

The vendor advisory tracked as ZDI-25-561 documents coordination with the vendor. Administrators should obtain the latest CADImage Plugin installer from CADSoftTools and the current IrfanView release from the official IrfanView distribution channel, then verify the plugin version reported in IrfanView's plugin manager after installation.

Workarounds

  • Unregister the CADImage Plugin by removing the plugin DLL from the IrfanView Plugins directory if the patch cannot be applied immediately.
  • Remove file associations for .dwg, .dxf, and other CAD formats handled by the plugin so the parser is not invoked automatically.
  • Run IrfanView under a standard user account, never as Administrator, to limit the impact of code execution.
  • Open untrusted DWG files only inside an isolated virtual machine or sandbox with no network access.
bash
# Remove the CADImage plugin DLL on Windows (run as Administrator)
del "%ProgramFiles%\IrfanView\Plugins\CADImage.dll"
del "%ProgramFiles(x86)%\IrfanView\Plugins\CADImage.dll"

# Remove DWG file association for the current user
reg delete "HKCU\Software\Classes\.dwg" /f
reg delete "HKCU\Software\Classes\IrfanView.DWG" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.