CVE-2025-7253
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView with the CADImage plugin. Attackers can exploit this by tricking users into opening malicious DWG files or visiting malicious web pages. The vulnerability affects users who have IrfanView with the CADImage plugin installed.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to user account compromise, data exfiltration, and potential installation of persistent malware.
If Mitigated
Limited impact due to application sandboxing or restricted user privileges, potentially resulting only in application crash.
🎯 Exploit Status
User interaction required (opening malicious file). Memory corruption vulnerability with reliable exploitation likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView website for latest CADImage plugin update
Vendor Advisory: https://www.irfanview.com/
Restart Required: No
Instructions:
1. Visit the official IrfanView website
2. Download the latest version of IrfanView with updated CADImage plugin
3. Install the update following vendor instructions
4. Verify the plugin version is updated
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView
Navigate to IrfanView plugins directory and remove CADImage plugin files
Block DWG File Extensions
windowsPrevent IrfanView from opening DWG files via file association changes
Use Windows Group Policy or registry to modify file associations
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of IrfanView
- Use network segmentation to isolate systems running IrfanView from critical assets
🔍 How to Verify
Check if Vulnerable:
Check IrfanView Help > About dialog for CADImage plugin version and compare with latest version on vendor siteCheck Version:
Open IrfanView, go to Help > About, check plugin versionsVerify Fix Applied:
Verify CADImage plugin version matches or exceeds the patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs
- Unexpected process creation from IrfanView
- Memory access violation events in Windows Event Logs
Network Indicators:
- Outbound connections from IrfanView process to unknown IPs
- DNS requests for suspicious domains from systems running IrfanView
SIEM Query:
Process Creation where Image contains 'i_view' AND ParentImage contains 'explorer' AND CommandLine contains '.dwg'