Skip to main content
CVE Vulnerability Database

CVE-2025-7235: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7235 is a remote code execution vulnerability in Cadsofttools Cadimage that allows attackers to execute arbitrary code via malicious DXF files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7235 Overview

CVE-2025-7235 is an out-of-bounds write vulnerability [CWE-787] in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the plugin's DXF (Drawing Exchange Format) file parser and stems from missing validation of user-supplied data. Attackers can craft a malicious DXF file that, when opened in IrfanView, writes data past the end of an allocated buffer. Successful exploitation leads to arbitrary code execution in the context of the IrfanView process. The vulnerability requires user interaction: the victim must open a malicious file or visit a page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-26075 and tracked publicly as ZDI-25-485.

Critical Impact

Remote attackers can achieve arbitrary code execution on systems where a user opens a crafted DXF file with the IrfanView CADImage plugin installed.

Affected Products

  • IrfanView (x86 and x64 builds with the CADImage plugin installed)
  • CADSoftTools CADImage plugin for IrfanView (x86)
  • CADSoftTools CADImage plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7235 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7235

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] in the DXF file parsing routines of the CADImage plugin. DXF is an ASCII or binary CAD interchange format consisting of grouped record entries describing geometry, layers, and metadata. When the plugin parses attacker-controlled values from a DXF file, it fails to validate the size or range of input fields before writing them into a fixed-size buffer.

Because the write occurs past the end of the allocated buffer, an attacker who controls the input data can corrupt adjacent heap or stack memory. Typical exploitation paths for this class of bug include overwriting object pointers, function pointers, or virtual table references to redirect control flow. Code executes with the privileges of the IrfanView process, which is normally the interactive user.

The attack vector is local because file delivery is required, but practical delivery is straightforward through email attachments, web downloads, or shared file stores. Confidentiality, integrity, and availability impacts are all rated high in the CVSS vector.

Root Cause

The root cause is improper input validation during DXF record parsing inside the CADImage plugin. Length, count, or index fields read from the DXF file are used to drive buffer writes without bounds checking against the destination allocation, producing the out-of-bounds write condition.

Attack Vector

An attacker crafts a malicious DXF file containing manipulated parsing fields and delivers it to a target user. When the user opens the file in IrfanView with the CADImage plugin enabled, parsing triggers the out-of-bounds write and the attacker's payload executes in the IrfanView process context. No authentication is required, and the action is initiated entirely by the victim opening the file.

Verified exploitation code is not publicly available. See the Zero Day Initiative Advisory ZDI-25-485 for the vendor coordination record.

Detection Methods for CVE-2025-7235

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
  • DXF files arriving from untrusted sources (email attachments, web downloads) and subsequently opened by IrfanView.
  • Crash dumps or Windows Error Reporting entries referencing the CADImage plugin DLL during DXF parsing.

Detection Strategies

  • Monitor process creation events where the parent image is IrfanView and the child is a scripting host, LOLBin, or network utility.
  • Inspect file write and execution events originating from the IrfanView process tree to user-writable paths such as %TEMP%, %APPDATA%, and %LOCALAPPDATA%.
  • Hunt for DXF files in mail gateways and proxy logs and correlate delivery with subsequent IrfanView process anomalies on the endpoint.

Monitoring Recommendations

  • Enable Windows Event ID 4688 with command-line auditing to capture process arguments under IrfanView.
  • Forward EDR telemetry for image loads of the CADImage plugin DLL into a centralized data lake for retrospective hunting.
  • Alert on access violations or unhandled exceptions in IrfanView processes that coincide with DXF file opens.

How to Mitigate CVE-2025-7235

Immediate Actions Required

  • Update IrfanView and the CADImage plugin to the latest versions provided by IrfanView and CADSoftTools.
  • Restrict opening of DXF files from untrusted sources and disable automatic file association handling where feasible.
  • Block inbound DXF attachments at email and web gateways for user populations that do not require CAD workflows.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-485 for vendor coordination details. Apply the latest CADImage plugin release from CADSoftTools and the latest IrfanView release that bundles or supports the fixed plugin version.

Workarounds

  • Uninstall or disable the CADImage plugin on endpoints that do not require DXF or DWG viewing in IrfanView.
  • Remove the DXF file association from IrfanView so that double-clicking DXF files does not invoke the vulnerable parser.
  • Run IrfanView under a standard user account with application sandboxing or Windows Defender Application Guard policies to limit blast radius if exploitation succeeds.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.