CVE-2025-7307: 
IrfanView vulnerability analysis and mitigation

A memory corruption vulnerability has been identified in IrfanView CADImage Plugin (CVE-2025-7307), discovered on February 28, 2025, and publicly disclosed on July 8, 2025. The vulnerability affects the DWG file parsing functionality in versions prior to 4.72. This security flaw allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin, though user interaction is required through visiting a malicious page or opening a malicious file (Zero Day Initiative).

The vulnerability exists within the parsing of DWG files in the IrfanView CADImage Plugin. The core issue stems from improper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, user interaction required, and high impacts on confidentiality, integrity, and availability (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score reflects the severe potential impact, as successful exploitation could lead to complete compromise of the affected system's confidentiality, integrity, and availability, though mitigated by the requirement for user interaction (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to update to this version or later to mitigate the risk (Zero Day Initiative).