CVE-2025-7316 Overview
CVE-2025-7316 is a memory corruption vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution when parsing malformed DWG files. The flaw resides in the DWG file parser and stems from missing validation of user-supplied data [CWE-119]. An attacker can craft a malicious DWG file that, when opened in IrfanView with the CADImage Plugin installed, corrupts memory and redirects execution. Exploitation requires user interaction, such as opening the file or visiting a page that delivers it. Successful exploitation grants code execution in the context of the current user process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26410.
Critical Impact
Attackers can execute arbitrary code in the user context by tricking a victim into opening a crafted DWG file in IrfanView.
Affected Products
- CadSoftTools CADImage Plugin for IrfanView (x64)
- CadSoftTools CADImage Plugin for IrfanView (x86)
- IrfanView (x64 and x86) with the CADImage Plugin installed
Discovery Timeline
- 2025-07-21 - CVE-2025-7316 published to the National Vulnerability Database
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-7316
Vulnerability Analysis
The vulnerability resides in the CADImage Plugin distributed by CadSoftTools and used by IrfanView to render CAD file formats. When the plugin parses a DWG file, it processes structures derived from attacker-controlled fields without sufficient bounds checking. The mismatch between declared and actual sizes leads to out-of-bounds memory access during parsing operations. This memory corruption condition is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer. An attacker who controls the corrupted region can hijack control flow and execute arbitrary code within the IrfanView process. Because IrfanView is widely deployed on Windows endpoints for image and document preview, the plugin expands the attack surface to any workstation that has it enabled.
Root Cause
The root cause is the absence of proper validation of user-supplied data inside the DWG parsing routines of the CADImage Plugin. Length fields, offsets, or structure counts embedded in the DWG container are trusted without sanity checks. When these values exceed allocated buffer boundaries, the parser writes or reads outside intended memory regions, producing exploitable corruption.
Attack Vector
The attack requires user interaction. A victim must open a malicious DWG file in IrfanView or visit a web page that delivers such a file and triggers its handling. No authentication or elevated privileges are required on the target system. Code executes with the privileges of the user running IrfanView, which on most workstations equals interactive user rights. Common delivery channels include phishing attachments, drive-by downloads, and shared file repositories.
No public proof-of-concept code has been released. Refer to the Zero Day Initiative Advisory ZDI-25-563 for the vendor-coordinated technical details.
Detection Methods for CVE-2025-7316
Indicators of Compromise
- DWG files arriving via email, chat, or web downloads from untrusted senders, especially files that trigger crashes or unexpected child processes when opened in i_view64.exe or i_view32.exe.
- Unexpected process creation chains where IrfanView spawns command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- Crash dumps or Windows Error Reporting events referencing the CADImage Plugin DLL during DWG parsing.
Detection Strategies
- Monitor for IrfanView processes loading the CADImage Plugin DLL followed by anomalous outbound network connections or file writes to startup locations.
- Inspect endpoint telemetry for DWG files opened outside of legitimate CAD workflows, particularly on systems where CAD work is not expected.
- Apply YARA rules that flag DWG headers combined with oversized or malformed length fields that target the plugin parser.
Monitoring Recommendations
- Enable application crash logging and forward i_view64.exe and i_view32.exe exception events to a central SIEM for correlation.
- Audit endpoints for installed IrfanView plugins and inventory hosts that have CADImage enabled.
- Alert on IrfanView making outbound network requests, which typically indicates post-exploitation behavior.
How to Mitigate CVE-2025-7316
Immediate Actions Required
- Identify all endpoints running IrfanView with the CADImage Plugin and prioritize them for remediation.
- Block inbound DWG attachments at email gateways until the plugin is updated.
- Instruct users to avoid opening DWG files from untrusted sources in IrfanView.
Patch Information
Consult the Zero Day Initiative Advisory ZDI-25-563 for vendor coordination status and updated CADImage Plugin releases from CadSoftTools. Apply the latest CADImage Plugin and IrfanView builds once a fixed version is available, and validate the update across managed endpoints.
Workarounds
- Uninstall or disable the CADImage Plugin on systems that do not require DWG support in IrfanView.
- Associate DWG files with a hardened CAD application rather than IrfanView, and remove IrfanView from the default handler list for .dwg.
- Restrict execution of IrfanView through application control policies on hosts that have no business need for image viewing of CAD formats.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

