CVE-2025-7304: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a memory corruption vulnerability in the parsing of DWG files that allows remote attackers to execute arbitrary code. The vulnerability (CVE-2025-7304) was discovered in early 2025 and affects IrfanView CADImage Plugin versions prior to 4.72. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability exists within the parsing of DWG files and results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current process, potentially gaining the same privileges as the user running the application. The vulnerability affects both x64 and x86 versions of the software (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to update to this version or later to mitigate the risk (Zero Day Initiative).