Skip to main content
CVE Vulnerability Database

CVE-2025-7321: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7321 is a remote code execution flaw in Cadsofttools Cadimage that allows attackers to execute arbitrary code through malicious DWG files. This article covers the technical details, affected systems, and mitigations.

Published:

CVE-2025-7321 Overview

CVE-2025-7321 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code when a user opens a malicious DWG file. The flaw resides in the plugin's DWG file parser, which fails to properly validate user-supplied data before processing it in memory. Exploitation requires user interaction, such as opening a crafted file or visiting a malicious page that delivers one. Code executes in the context of the IrfanView process. The Zero Day Initiative tracked this issue as ZDI-CAN-26421 and published advisory ZDI-25-568. The vulnerability maps to CWE-119, improper restriction of operations within the bounds of a memory buffer.

Critical Impact

Attackers can achieve arbitrary code execution on Windows systems running affected versions of IrfanView with the CADImage Plugin by convincing a user to open a malicious DWG file.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) with CADImage Plugin installed
  • Windows systems with vulnerable plugin versions deployed

Discovery Timeline

  • 2025-07-21 - CVE-2025-7321 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7321

Vulnerability Analysis

The vulnerability exists in the CADImage Plugin's handler for DWG files, the native drawing format used by AutoCAD and compatible CAD applications. DWG is a complex binary container with multiple sections, embedded objects, and length-prefixed structures. The plugin parses these structures without sufficient bounds checking, allowing crafted field values to drive memory operations outside the intended buffer.

Because the CADImage Plugin executes inside the IrfanView process, successful exploitation yields code execution at the privilege level of the logged-in user. This commonly includes access to user documents, browser data, and stored credentials. The vulnerability is classified under CWE-119, a category that covers buffer overflows, out-of-bounds reads, and out-of-bounds writes.

Root Cause

The root cause is the absence of validation on length, offset, or count fields read from the DWG file. The parser trusts attacker-controlled values when computing buffer sizes or pointer arithmetic. When these values exceed allocated buffer dimensions, memory corruption occurs in adjacent heap or stack regions.

Attack Vector

The attack requires a local file open action by the user, but delivery is typically remote. An attacker hosts a malicious .dwg file on a website, sends it as an email attachment, or stages it on a network share. When the user opens the file in IrfanView, the CADImage Plugin parses it and triggers the memory corruption. No additional authentication is required. See the Zero Day Initiative Advisory ZDI-25-568 for additional technical context.

No verified public exploit code is available at this time. Refer to the ZDI advisory for vendor coordination details.

Detection Methods for CVE-2025-7321

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe process crashes when opening DWG files, indicating possible exploitation attempts or unstable shellcode
  • Creation of child processes from IrfanView such as cmd.exe, powershell.exe, or rundll32.exe following a DWG file open
  • Inbound DWG attachments from untrusted senders, particularly those delivered via phishing campaigns targeting engineering and architecture personnel

Detection Strategies

  • Monitor endpoint telemetry for IrfanView spawning shell or scripting interpreters, which is anomalous behavior for an image viewer
  • Inspect file-open events that involve .dwg extensions opened by i_view32.exe or i_view64.exe and correlate with subsequent network connections
  • Apply YARA rules targeting malformed DWG structures and oversized length fields in DWG headers at email gateways and web proxies

Monitoring Recommendations

  • Enable Windows Error Reporting and crash dump collection for IrfanView processes to capture exploitation attempts
  • Forward EDR process-tree telemetry to a centralized SIEM and alert on IrfanView parent processes spawning LOLBins
  • Track installation inventory for the CADImage Plugin across the fleet to identify systems requiring remediation

How to Mitigate CVE-2025-7321

Immediate Actions Required

  • Update the CADImage Plugin to the latest version provided by CADSoftTools as soon as a fixed release is available
  • Restrict opening of DWG files from untrusted sources, including email attachments and downloaded archives
  • Remove the CADImage Plugin from IrfanView installations on systems that do not require CAD file viewing

Patch Information

At the time of NVD publication, no vendor patch URL is listed in the advisory. Administrators should consult the Zero Day Initiative Advisory ZDI-25-568 and the CADSoftTools website for updated plugin releases. Until a patch is confirmed, treat all unsolicited DWG files as untrusted.

Workarounds

  • Uninstall or disable the CADImage Plugin in IrfanView by removing the plugin DLL from the IrfanView Plugins directory
  • Configure email gateways and web proxies to block or quarantine .dwg attachments from external senders
  • Apply Windows Defender Exploit Guard or equivalent attack surface reduction rules to prevent IrfanView from spawning child processes
  • Run IrfanView under a low-privilege user account and within an application sandbox to limit post-exploitation impact
bash
# Remove the CADImage Plugin DLL from IrfanView (run as Administrator)
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"

# Block .dwg files at the mail gateway (example PowerShell for Exchange)
New-TransportRule -Name "Block DWG Attachments" -AttachmentExtensionMatchesWords "dwg" -RejectMessageReasonText "DWG attachments blocked pending CVE-2025-7321 remediation"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.