CVE-2025-7274 in CADImage Plugin
Summary
by MITRE • 07/21/2025
IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26203.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/26/2025
The CVE-2025-7274 vulnerability represents a critical memory corruption flaw within the IrfanView CADImage Plugin that processes DWG files, creating a remote code execution vector that poses significant risks to affected systems. This vulnerability specifically targets the parsing mechanism of AutoCAD Drawing files, which are commonly used in engineering and architectural applications, making the attack surface particularly broad across industries that rely on CAD software. The flaw stems from insufficient input validation during the processing of user-supplied DWG file data, allowing malicious actors to craft specially crafted files that trigger memory corruption conditions when processed by the vulnerable plugin.
The technical nature of this vulnerability aligns with CWE-125, which describes out-of-bounds read conditions that can lead to memory corruption and arbitrary code execution. When IrfanView processes a malicious DWG file through the CADImage plugin, the parsing logic fails to properly validate the structure and content of the file, creating opportunities for attackers to manipulate memory layouts and execute malicious code within the context of the running IrfanView process. This memory corruption occurs during the file parsing phase where the plugin attempts to interpret various DWG file elements, particularly those related to geometric data structures and object references. The vulnerability requires user interaction to be exploited effectively, meaning that targets must either open the malicious file directly or visit a web page containing the malicious file, making it particularly dangerous in phishing scenarios or when users browse untrusted content.
The operational impact of this vulnerability extends beyond simple remote code execution, as it can enable attackers to gain persistent access to systems and potentially escalate privileges within the compromised environment. Attackers can leverage this vulnerability to establish backdoors, exfiltrate sensitive data, or deploy additional malware payloads, making it particularly concerning for organizations that handle sensitive engineering or architectural data. The attack chain typically involves the delivery of a malicious DWG file through social engineering tactics, web-based attacks, or compromised file-sharing platforms, where the victim's system automatically processes the file through the vulnerable IrfanView plugin. Organizations using IrfanView with the CADImage plugin across their networks face significant exposure, as the vulnerability can be exploited across multiple operating systems and environments where the software is installed, potentially affecting both desktop and server deployments.
Mitigation strategies for CVE-2025-7274 should prioritize immediate patching of the IrfanView CADImage plugin to address the underlying memory corruption issue, following vendor advisories and security bulletins. Organizations should implement strict file validation policies that prevent automatic processing of untrusted DWG files, particularly those received through email attachments or downloaded from unverified sources. Network-based security controls including web proxies, content filtering systems, and email security gateways should be configured to block or quarantine DWG files from suspicious sources, while endpoint protection solutions should be updated to include signature-based detection for malicious DWG file patterns. Additionally, security awareness training for users should emphasize the dangers of opening unknown file types and visiting untrusted websites, as user interaction remains a critical component for exploitation. The vulnerability demonstrates the importance of input validation and memory safety practices in file processing applications, aligning with ATT&CK technique T1059.007 for command and scripting interpreter and T1203 for Exploitation for Client Execution, highlighting the need for comprehensive security measures that address both the technical flaw and potential attack vectors.