CVE-2025-7252: 
IrfanView vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-7252) was discovered in the IrfanView CADImage Plugin affecting its DWG file parsing functionality. The vulnerability was reported on February 5, 2025, and publicly disclosed on July 8, 2025. This security flaw affects IrfanView CADImage Plugin installations for both x86 and x64 architectures, versions prior to 4.72 (Zero Day Initiative).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v3.0 base score of 7.8 (HIGH). The vulnerability vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. The specific flaw exists within the parsing of DWG files and results from inadequate validation of user-supplied data, which can lead to a read operation beyond the bounds of an allocated buffer (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of IrfanView CADImage Plugin. The high CVSS score reflects the severe potential impact on system security, with possible complete compromise of confidentiality, integrity, and availability of the targeted system (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the risk. The fix addresses the improper validation of user-supplied data during DWG file parsing (Zero Day Initiative).