CVE-2025-7270 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-7270?

CVE-2025-7270 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DWG files with IrfanView's CADImage plugin. The flaw exists in improper memory handling during DWG file parsing, enabling attackers to run code with the same privileges as the IrfanView process. Users of IrfanView with the vulnerable CADImage plugin are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DWG files with IrfanView's CADImage plugin. The flaw exists in improper memory handling during DWG file parsing, enabling attackers to run code with the same privileges as the IrfanView process. Users of IrfanView with the vulnerable CADImage plugin are affected.

💻 Affected Systems

Products:

IrfanView CADImage Plugin

Versions: Specific vulnerable versions not specified in advisory; assume all versions before patched release

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires IrfanView with CADImage plugin installed; user must open malicious DWG file

📦 What is this software?

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation leading to user account compromise, data exfiltration, or malware installation on the affected system.

🟢

If Mitigated

Limited impact due to sandboxing, application whitelisting, or restricted user privileges preventing full system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file); memory corruption exploitation requires specific conditions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check IrfanView website for latest CADImage plugin update

Vendor Advisory: https://www.irfanview.com/

Restart Required: Yes

Instructions:

1. Visit https://www.irfanview.com/
2. Download latest IrfanView version
3. Install update
4. Restart system

🔧 Temporary Workarounds

Disable CADImage Plugin

windows

Remove or disable the vulnerable CADImage plugin from IrfanView

Navigate to IrfanView plugins folder and remove CADImage plugin files

Block DWG File Association

windows

Prevent IrfanView from opening DWG files by default

Control Panel > Default Programs > Associate a file type or protocol with a program > Change .dwg association

🧯 If You Can't Patch

Implement application whitelisting to block IrfanView execution
Use endpoint protection with memory corruption exploit prevention

🔍 How to Verify

Check if Vulnerable:

Check IrfanView Help > About for version and verify CADImage plugin is installed

Check Version:

irfanview.exe /?

Verify Fix Applied:

Confirm IrfanView and CADImage plugin are updated to latest versions from official site

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes when opening DWG files
Unusual child processes spawned from IrfanView

Network Indicators:

Outbound connections from IrfanView process to unknown IPs

SIEM Query:

Process Creation where Image contains 'irfanview' and CommandLine contains '.dwg'

📊 Metadata

CVE ID: CVE-2025-7270

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.06% exploit probability (17.1th percentile)

Published: July 21, 2025

Last Updated: July 25, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-518/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7270, you might also want to check these: