CVE-2025-7238 Overview
CVE-2025-7238 is an out-of-bounds write vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution when a user opens a crafted DXF file. The flaw resides in the plugin's DXF file parsing logic, which fails to properly validate user-supplied data before writing past the bounds of an allocated buffer. Attackers exploit this weakness by delivering a malicious DXF file through phishing, drive-by download, or other social engineering vectors. Successful exploitation grants code execution in the context of the user running IrfanView. The Zero Day Initiative tracks this issue as ZDI-CAN-26084 and published advisory ZDI-25-505.
Critical Impact
Opening a malicious DXF file in IrfanView with the CADImage Plugin installed allows attackers to execute arbitrary code with the privileges of the logged-on user.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with CADImage Plugin installed
- Windows systems running vulnerable plugin versions
Discovery Timeline
- 2025-07-21 - CVE-2025-7238 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7238
Vulnerability Analysis
The vulnerability is an out-of-bounds write [CWE-787] in the CADImage Plugin component that extends IrfanView with support for AutoCAD Drawing Exchange Format (DXF) files. When the plugin parses a DXF file, it processes user-controlled fields without enforcing correct buffer bounds. A crafted DXF entity can drive the parser to write data beyond the end of a heap or stack allocation. The attacker controls both the offset and the written content, enabling corruption of adjacent memory structures such as object headers, function pointers, or return addresses. Exploitation requires user interaction since the target must open the malicious file or visit a page that triggers IrfanView. Successful code execution runs with the privileges of the current process, which is typically the interactive desktop user.
Root Cause
The root cause is missing or insufficient validation of length and offset fields parsed from DXF group codes. The plugin trusts attacker-supplied size values when copying entity data into a fixed-size buffer, leading to a linear or arbitrary write past the allocation. CADSoftTools maintains the CADImage Plugin separately from IrfanView core, and the unsafe parsing path is contained within the plugin binary.
Attack Vector
The attack requires local file processing but can be initiated remotely by delivering the DXF payload through email attachments, instant messaging, removable media, or web downloads. Once the user opens the DXF file with IrfanView, the CADImage Plugin loads automatically and the vulnerable parser executes. No additional authentication is required. Refer to the Zero Day Initiative Advisory ZDI-25-505 for further technical detail.
// No verified proof-of-concept code is publicly available.
// The vulnerability is triggered by malformed DXF entity
// records that cause the CADImage parser to write beyond
// the end of an allocated buffer.
Detection Methods for CVE-2025-7238
Indicators of Compromise
- DXF files received from untrusted sources, especially via email attachments or web downloads, that target hosts with IrfanView installed.
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes with access violations referencing the CADImage plugin DLL.
- Outbound network connections initiated by the IrfanView process shortly after opening a DXF file.
Detection Strategies
- Hunt for IrfanView processes loading the CADImage plugin and subsequently spawning shell or scripting interpreters.
- Inspect endpoint telemetry for memory protection events (DEP, CFG) triggered inside i_view32.exe or i_view64.exe.
- Apply YARA or file-format inspection rules to flag DXF files with anomalous group code length values.
Monitoring Recommendations
- Forward IrfanView process creation, image load, and crash telemetry to a centralized SIEM for correlation.
- Monitor file write activity in user profile directories following the opening of DXF files.
- Alert on outbound connections from image viewer processes, which should rarely initiate network traffic.
How to Mitigate CVE-2025-7238
Immediate Actions Required
- Inventory endpoints running IrfanView with the CADImage Plugin and prioritize them for remediation.
- Block or quarantine DXF attachments at the email gateway until patched plugin versions are deployed.
- Restrict the default file handler for DXF files away from IrfanView on systems that do not require CAD viewing.
- Educate users to avoid opening unsolicited DXF files, even from known contacts.
Patch Information
CADSoftTools maintains the CADImage Plugin for IrfanView. Administrators should download the latest plugin build from the CADSoftTools website and replace the vulnerable DLL on all affected endpoints. Confirm remediation status through the Zero Day Initiative Advisory ZDI-25-505, which tracks vendor response.
Workarounds
- Uninstall the CADImage Plugin from IrfanView on systems that do not require DXF support.
- Run IrfanView under a low-privileged user account to limit the impact of code execution.
- Enforce application allowlisting to prevent IrfanView from launching unexpected child processes.
- Disable file associations for .dxf, .dwg, and related CAD formats within IrfanView.
# Remove the CADImage plugin DLL from a standard IrfanView installation
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"
del "C:\Program Files (x86)\IrfanView\Plugins\CADIMAGE.DLL"
# Optional: block DXF associations via registry (run as administrator)
reg delete "HKCR\.dxf" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

