CVE-2025-7312
📋 TL;DR
This vulnerability in IrfanView's CADImage plugin allows remote attackers to execute arbitrary code when users open malicious DWG files. Attackers can exploit improper buffer validation during DWG parsing to read beyond allocated memory boundaries and gain code execution. Users of IrfanView with the CADImage plugin installed are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash but no code execution.
🎯 Exploit Status
User interaction required (opening malicious file). The vulnerability was discovered by ZDI (ZDI-CAN-26398), suggesting potential for weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView updates for CADImage plugin patch
Vendor Advisory: https://www.irfanview.com/
Restart Required: Yes
Instructions:
1. Open IrfanView
2. Go to Help > Check for Updates
3. Install all available updates
4. Restart IrfanView
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView
Navigate to IrfanView plugins directory and remove CADImage.dll or rename to disable
Block DWG File Extensions
windowsPrevent IrfanView from opening DWG files via file association changes
Use Windows Group Policy or registry to remove .dwg association with IrfanView
🧯 If You Can't Patch
- Implement application whitelisting to prevent IrfanView execution
- Use endpoint protection with memory protection features enabled
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version and verify CADImage plugin is installed. Open IrfanView > Help > About to see version information.Check Version:
irfanview.exe /?Verify Fix Applied:
Verify IrfanView has been updated to latest version and CADImage plugin version is patched.📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs with memory access violations
- Windows Application Event Logs showing IrfanView failures
Network Indicators:
- Unusual outbound connections from systems running IrfanView
- DWG file downloads from untrusted sources
SIEM Query:
Process Creation where Image contains 'i_view' AND CommandLine contains '.dwg'