CVE-2025-7247: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a remote code execution vulnerability (CVE-2025-7247) discovered in February 2025. The vulnerability affects the DXF file parsing functionality in IrfanView CADImage Plugin versions prior to 4.72. This security flaw was reported by Rocco Calvi (@TecR0c) with TecSecurity and was publicly disclosed on July 8, 2025 (Zero Day Initiative).

The vulnerability stems from improper validation of user-supplied data during DXF file parsing, which can result in an out-of-bounds read condition. The issue has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (Zero Day Initiative).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code in the context of the current process. This could potentially lead to complete system compromise with the privileges of the affected application (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the risk (Zero Day Initiative).