CVE-2025-7286: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a memory corruption vulnerability (CVE-2025-7286) that allows remote attackers to execute arbitrary code. The vulnerability was discovered in February 2025 and publicly disclosed on July 8th, 2025. The vulnerability affects IrfanView CADImage Plugin versions up to (excluding) 15.0.0.8 for both x64 and x86 architectures, as well as IrfanView versions up to (excluding) 4.72 (Zero Day Initiative).

The vulnerability exists within the parsing of DXF files and stems from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, specifically that the target must visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the vulnerability (Zero Day Initiative).