CVE-2025-7311: 
IrfanView vulnerability analysis and mitigation

IrfanView CADImage Plugin contains a remote code execution vulnerability (CVE-2025-7311) that affects versions prior to 4.72. The vulnerability was discovered in the DWG file parsing functionality and was reported on February 28, 2025, with public disclosure on July 8, 2025 (Zero Day Initiative).

The vulnerability exists within the parsing of DWG files in the IrfanView CADImage Plugin. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is tracked under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Zero Day Initiative).

A successful exploitation of this vulnerability allows remote attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically the target must visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability has been fixed in IrfanView CADImage Plugin version 4.72. Users are advised to upgrade to this version or later to mitigate the risk (Zero Day Initiative).