CVE-2025-7274: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a memory corruption vulnerability in the parsing of DWG files that allows remote code execution. The vulnerability (CVE-2025-7274) was discovered and reported through the Zero Day Initiative program (ZDI-CAN-26203). This vulnerability affects IrfanView CADImage Plugin versions up to (excluding) 15.0.0.8 for both x86 and x64 architectures, as well as IrfanView versions up to (excluding) 4.72 (Zero Day Initiative).

The vulnerability stems from improper validation of user-supplied data during DWG file parsing, which can result in a memory corruption condition. The issue has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to update to this version or newer to mitigate the risk (Zero Day Initiative).