CVE-2025-7251
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView with the CADImage plugin. Attackers can exploit this by tricking users into opening malicious DWG files or visiting malicious web pages. The vulnerability affects users who process DWG files with IrfanView's CADImage plugin.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash but no code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in a widely used plugin and follows typical file format exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView website for latest CADImage plugin version
Vendor Advisory: https://www.irfanview.com/
Restart Required: Yes
Instructions:
1. Visit https://www.irfanview.com/
2. Download latest IrfanView version
3. Install updated version
4. Restart system
🔧 Temporary Workarounds
Disable DWG file association
windowsRemove IrfanView as default handler for DWG files to prevent automatic opening
Control Panel > Default Programs > Set Associations > Remove .dwg from IrfanView
Remove CADImage plugin
windowsTemporarily remove the vulnerable plugin until patched
Delete or rename CADImage.dll from IrfanView plugins directory
🧯 If You Can't Patch
- Implement application whitelisting to block IrfanView execution
- Use network segmentation to isolate systems running IrfanView from critical assets
🔍 How to Verify
Check if Vulnerable:
Check IrfanView Help > About dialog for version information and compare with latest available versionCheck Version:
irfanview.exe /?Verify Fix Applied:
Verify IrfanView version is updated and test opening known safe DWG files📡 Detection & Monitoring
Log Indicators:
- IrfanView process crashes when opening DWG files
- Unexpected child processes spawned from IrfanView
Network Indicators:
- Outbound connections from IrfanView process to unknown IPs
- DNS requests for suspicious domains from IrfanView
SIEM Query:
Process Creation where Parent Process Name contains 'i_view' AND (Command Line contains '.dwg' OR Image contains suspicious patterns)