CVE-2025-7280
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView with the CADImage plugin. Attackers can exploit this by tricking users into opening malicious DWG files or visiting malicious web pages. The vulnerability affects IrfanView users who have the CADImage plugin installed.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact with application crash or denial of service if exploit attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in a third-party plugin component and was discovered by ZDI (ZDI-CAN-26214).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView updates or CADImage plugin updates
Vendor Advisory: https://www.irfanview.com/
Restart Required: Yes
Instructions:
1. Open IrfanView
2. Go to Help > Check for Updates
3. Install any available updates
4. Restart IrfanView and affected systems
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView installation
Navigate to IrfanView plugins directory and remove or rename CADImage.dll
Block DWG Files
allConfigure system or email filters to block DWG files from untrusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of IrfanView
- Use endpoint protection with memory corruption exploit prevention capabilities
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version and verify CADImage plugin is present in plugins directoryCheck Version:
Open IrfanView and go to Help > About or check file properties of IrfanView executableVerify Fix Applied:
Verify IrfanView has been updated to latest version and CADImage plugin version is updated📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs with memory access violations
- Unexpected process creation from IrfanView
Network Indicators:
- Downloads of DWG files from suspicious sources
- Outbound connections from IrfanView process
SIEM Query:
Process creation where parent process contains 'i_view' and child process is suspicious OR Application crash events for IrfanView