CVE-2025-7309: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a memory corruption vulnerability in the DWG file parsing functionality. This vulnerability (CVE-2025-7309) allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. The vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity and was reported to the vendor on February 28, 2025 (Zero Day Initiative).

The vulnerability exists within the parsing of DWG files and results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The issue has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

An attacker can leverage this vulnerability to execute code in the context of the current process. The vulnerability affects both x64 and x86 versions of IrfanView up to (excluding) version 4.72, as well as CADImage plugin versions up to (excluding) 15.0.0.8 (NVD).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the risk (Zero Day Initiative).