CVE-2025-7290: 
IrfanView vulnerability analysis and mitigation

The vulnerability (CVE-2025-7290) affects the IrfanView CADImage Plugin and was discovered in February 2025. This security flaw allows remote attackers to execute arbitrary code on affected installations of the plugin through DXF file parsing. The vulnerability was publicly disclosed on July 8, 2025, and affects IrfanView CADImage Plugin versions prior to 4.72 (Zero Day Initiative).

The vulnerability exists within the parsing of DXF files in the IrfanView CADImage Plugin. The specific issue stems from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. User interaction is required for exploitation, specifically the target must visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to update to this version or newer to mitigate the risk (Zero Day Initiative).