CVE-2025-7323 Overview
CVE-2025-7323 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code when a user opens a malicious DWG file. The flaw resides in the plugin's DWG file parser, which fails to properly validate user-supplied data before processing it in memory. Exploitation requires user interaction, such as opening a crafted file or visiting a malicious page that delivers one. The vulnerability is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer. Zero Day Initiative tracked the issue internally as ZDI-CAN-26428 and published advisory ZDI-25-570.
Critical Impact
Attackers can execute arbitrary code in the context of the IrfanView process by tricking a user into opening a malicious DWG file.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations bundling the CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7323 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7323
Vulnerability Analysis
The CADImage plugin extends IrfanView with support for CAD file formats, including AutoCAD's DWG format. When the plugin parses a DWG file, it processes structured records describing drawing entities, headers, and section tables. The parser does not adequately validate fields supplied within the file before using them to drive memory operations. A crafted DWG file can therefore induce a memory corruption condition during parsing.
Because IrfanView typically runs in the security context of the interactive user, successful exploitation grants code execution at that privilege level. The vulnerability affects both x86 and x64 builds of the plugin and the host application.
Root Cause
The root cause is the absence of proper validation of attacker-controlled values inside the DWG file structure. Length fields, offsets, or count values consumed by the parser are trusted without bounds checking, leading to operations that read or write outside the intended buffer ([CWE-119]).
Attack Vector
The attack requires local file handling with user interaction. An attacker delivers a malicious .dwg file via email attachment, drive-by download, file share, or a webpage that prompts the victim to open the file in IrfanView. Once opened, the CADImage plugin parses the file and triggers the memory corruption, allowing the attacker to execute code in the current process context.
No authenticated network access is required, and no elevated privileges are needed on the target system. Refer to the Zero Day Initiative Advisory ZDI-25-570 for additional context.
Detection Methods for CVE-2025-7323
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning command interpreters such as cmd.exe, powershell.exe, or wscript.exe.
- Inbound .dwg files arriving via email attachments, browser downloads, or messaging clients prior to an IrfanView crash event.
- Application crash entries in the Windows Event Log referencing CADImage.dll faulting modules.
- New persistence artifacts (Run keys, scheduled tasks) created shortly after a DWG file was opened.
Detection Strategies
- Hunt for process lineage where IrfanView spawns scripting hosts, LOLBins, or unsigned binaries.
- Monitor for IrfanView processes performing outbound network connections, which is atypical for an image viewer.
- Inspect DWG files with file integrity tooling and flag samples that fail structural validation or contain anomalously large header offsets.
Monitoring Recommendations
- Enable EDR telemetry on workstations where IrfanView is installed and alert on memory protection events triggered inside CADImage.dll.
- Capture and retain Windows Error Reporting (WER) crash dumps for IrfanView to support post-incident triage.
- Correlate file download events with subsequent IrfanView execution to identify potential exploitation attempts.
How to Mitigate CVE-2025-7323
Immediate Actions Required
- Update the IrfanView CADImage plugin to the latest version released by CADSoftTools that addresses CVE-2025-7323.
- Inventory endpoints for both IrfanView and the CADImage plugin and prioritize patching systems used by engineering, architecture, and design teams.
- Restrict execution of IrfanView through application control policies until the plugin is updated.
- Block inbound .dwg attachments at the email gateway if business workflows permit.
Patch Information
Consult the Zero Day Initiative Advisory ZDI-25-570 and the CADSoftTools and IrfanView vendor pages for the fixed plugin release. No vendor advisory URL was published alongside the CVE entry at the time of NVD listing, so administrators should obtain the latest CADImage installer directly from CADSoftTools.
Workarounds
- Uninstall or disable the CADImage plugin from IrfanView installations that do not require DWG support.
- Configure file associations so DWG files do not open in IrfanView by default.
- Train users to avoid opening DWG files received from untrusted sources or unexpected senders.
- Run IrfanView under a low-privilege account and consider sandboxing the application with Windows Sandbox or AppContainer policies.
# Remove the CADImage plugin DLL from an IrfanView installation (Windows, run as admin)
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
# Block .dwg file execution via Windows Defender Application Control / AppLocker
New-AppLockerPolicy -RuleType Path -User Everyone -Path "*\*.dwg" -Action Deny
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

