CVE-2025-7322 Overview
CVE-2025-7322 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin. The flaw resides in the parser that processes DWG (AutoCAD drawing) files. Attackers can leverage the issue to execute arbitrary code in the context of the current user process. Exploitation requires user interaction: the victim must open a malicious DWG file or visit a page that delivers one. The Zero Day Initiative tracks this issue as ZDI-CAN-26423 and published advisory ZDI-25-569.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the IrfanView user, enabling malware delivery, credential theft, or pivoting on the host.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- Workstations rendering untrusted DWG files via IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7322 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7322
Vulnerability Analysis
The CADImage plugin extends IrfanView with the ability to render CAD drawing formats, including DWG. The plugin's DWG parser fails to validate user-supplied length and offset fields before reading from an allocated buffer. When a crafted DWG file is opened, the parser reads beyond the buffer boundary into adjacent memory. Attackers can combine the out-of-bounds read with memory layout manipulation to disclose sensitive process data or steer execution toward attacker-controlled content. The Zero Day Initiative reports the outcome as arbitrary code execution in the IrfanView process context.
Root Cause
The root cause is missing bounds validation on fields parsed from the DWG container [CWE-125]. The plugin trusts size and offset values embedded inside the file format and uses them directly in read operations. No sanity check confirms that the computed read remains inside the allocated buffer.
Attack Vector
Exploitation is local and user-driven. An attacker delivers a malicious .dwg file through email, chat, removable media, or a web download. When the user opens the file in IrfanView with the CADImage plugin installed, the parser triggers the out-of-bounds read. The CVSS vector indicates local attack vector with required user interaction. There is no need for prior authentication on the target host.
No verified public proof-of-concept code is available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-569.
Detection Methods for CVE-2025-7322
Indicators of Compromise
- DWG files arriving from untrusted sources, especially through email attachments, instant messaging, or browser downloads to user profile directories.
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes referencing the CADImage plugin module in Windows Error Reporting (WER) telemetry.
Detection Strategies
- Inspect endpoint telemetry for IrfanView processes loading the CADImage plugin DLL followed by anomalous memory access patterns or crashes.
- Hunt for file-write events that drop .dwg files into user-writable paths followed by IrfanView execution within a short interval.
- Apply YARA rules that flag malformed DWG headers with inconsistent section length fields when files transit mail or web gateways.
Monitoring Recommendations
- Forward IrfanView process creation, module load, and crash events to your SIEM and alert on deviations from baseline behavior.
- Monitor outbound network connections initiated by i_view32.exe or i_view64.exe, which would be unusual for a static image viewer.
- Track installation of the CADImage plugin across the fleet to maintain an accurate exposure inventory.
How to Mitigate CVE-2025-7322
Immediate Actions Required
- Inventory hosts running IrfanView and confirm whether the CADImage plugin is installed.
- Block inbound .dwg attachments at the mail gateway until patched builds are deployed.
- Restrict file association so that .dwg files do not open automatically in IrfanView.
- Educate users to avoid opening DWG files from untrusted sources.
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-569 for vendor coordination status. Apply the latest CADImage plugin and IrfanView releases from the respective vendors once available. Validate version strings after deployment to confirm the fixed build is in place.
Workarounds
- Uninstall the CADImage plugin on systems that do not require DWG rendering.
- Remove or rename the CADImage plugin DLL to prevent IrfanView from loading the vulnerable parser.
- Run IrfanView inside a low-integrity sandbox or application isolation container when CAD parsing is required.
- Use Windows Defender Application Control or AppLocker to restrict IrfanView from spawning script interpreters and shells.
# Example AppLocker-style child process restriction for IrfanView
# Block i_view64.exe from launching common LOLBins
New-AppLockerPolicy -RuleType Path \
-User Everyone \
-Action Deny \
-Path "%PROGRAMFILES%\IrfanView\i_view64.exe" \
-ChildProcess @("cmd.exe","powershell.exe","wscript.exe","rundll32.exe")
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

