Skip to main content
CVE Vulnerability Database

CVE-2025-7315: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7315 is a remote code execution flaw in Cadsofttools Cadimage affecting DWG file parsing. Attackers can exploit memory corruption to run malicious code. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-7315 Overview

CVE-2025-7315 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists in the parsing of DWG files and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can leverage the issue to execute arbitrary code within the context of the current process. Exploitation requires user interaction, such as opening a crafted DWG file or visiting a malicious page that delivers one. The vulnerability was reported through the Zero Day Initiative under tracking identifier ZDI-CAN-26408 and published as advisory ZDI-25-562.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the IrfanView user, enabling full compromise of the local session.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)
  • IrfanView (x86 and x64) with the CADImage Plugin installed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7315 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7315

Vulnerability Analysis

The CADImage Plugin extends IrfanView with support for CAD file formats, including AutoCAD DWG drawings. The vulnerability resides in the routine responsible for parsing structures inside a DWG file. The parser fails to validate length or offset values supplied within the file before using them to read or write memory.

This missing validation produces a memory corruption condition classified under [CWE-119] (improper restriction of operations within the bounds of a memory buffer). An attacker who controls the malformed values can corrupt adjacent process memory and redirect execution flow. Because the plugin operates inside the IrfanView process, any code executed inherits the privileges of the interactive user.

Root Cause

The root cause is the lack of proper bounds checking on attacker-controlled fields parsed from a DWG file. Untrusted file data is consumed without verifying that the resulting buffer operations stay within allocated memory, leading to out-of-bounds access and corruption of process state.

Attack Vector

Exploitation is local and requires user interaction. The attacker must convince the target to open a crafted DWG file in IrfanView with the CADImage Plugin installed, or to visit a web page that delivers the file through a download or file association. Once parsing begins, the malformed structures trigger memory corruption and enable arbitrary code execution in the IrfanView process.

No public proof-of-concept code is available for CVE-2025-7315. Refer to the Zero Day Initiative Advisory ZDI-25-562 for additional technical context.

Detection Methods for CVE-2025-7315

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe child processes spawning shells, scripting interpreters, or rundll32.exe after a DWG file is opened.
  • DWG files arriving via email, browser downloads, or removable media that are opened by users without a business need for CAD content.
  • Application crashes or Windows Error Reporting events implicating the CADImage.dll plugin module.

Detection Strategies

  • Monitor process lineage where IrfanView is the parent and the child is a non-image-handling binary such as cmd.exe, powershell.exe, or wscript.exe.
  • Alert on writes by the IrfanView process to autorun locations, the user Startup folder, or scheduled task creation immediately following a DWG file open.
  • Hunt for outbound network connections originating from IrfanView, which legitimately should not perform network I/O during file parsing.

Monitoring Recommendations

  • Enable command-line and module-load logging on endpoints that have IrfanView installed, and forward events to a centralized analytics platform.
  • Track loads of CADImage.dll and correlate with file open telemetry to identify users actively exposed to the vulnerable code path.
  • Review email and web proxy logs for inbound DWG attachments from untrusted senders.

How to Mitigate CVE-2025-7315

Immediate Actions Required

  • Inventory endpoints with IrfanView and the CADImage Plugin installed, and prioritize remediation on workstations belonging to users who handle external files.
  • Update the CADImage Plugin to a version released after the disclosure of ZDI-25-562 as soon as CADSoftTools makes one available.
  • Block or quarantine DWG attachments at the email gateway and web proxy until patching is complete.

Patch Information

No vendor advisory URL is listed in the NVD record at the time of publication. Administrators should monitor the CADSoftTools and IrfanView download pages for an updated CADImage Plugin build that addresses the parsing flaw described in ZDI-25-562.

Workarounds

  • Uninstall the CADImage Plugin from IrfanView on systems that do not require CAD file viewing.
  • Remove the file association for .dwg so the format does not open in IrfanView, forcing users to choose an application explicitly.
  • Restrict IrfanView execution on high-risk users through application control policies such as Windows Defender Application Control or AppLocker.
  • Open untrusted DWG files only inside an isolated virtual machine or sandboxed environment that contains the impact of memory corruption.
bash
# Example AppLocker rule snippet to block IrfanView from launching child processes
# (Apply via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies)
New-AppLockerPolicy -RuleType Path -User Everyone `
    -Action Deny -Path "%PROGRAMFILES%\IrfanView\i_view*.exe" `
    -Description "Block IrfanView pending CVE-2025-7315 remediation"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.