CVE-2025-7261: 
IrfanView vulnerability analysis and mitigation

CVE-2025-7261 is a remote code execution vulnerability affecting IrfanView CADImage Plugin. The vulnerability was discovered in February 2025 and publicly disclosed on July 8, 2025. This security flaw exists within the parsing of DWG files in the CADImage Plugin, affecting versions up to (excluding) 4.72 for both x86 and x64 architectures (Zero Day Initiative).

The vulnerability stems from the lack of proper validation of user-supplied data during DWG file parsing, which can result in a read past the end of an allocated buffer (out-of-bounds read). The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (Zero Day Initiative).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. The attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining control over the affected system (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the risk (Zero Day Initiative).