CVE-2025-7254 Overview
CVE-2025-7254 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code on affected installations. The flaw resides in the parsing logic for Drawing Exchange Format (DXF) files and stems from missing validation of user-supplied data [CWE-119]. Exploitation requires user interaction: the victim must open a malicious DXF file or visit a page that triggers one. The Zero Day Initiative tracked this issue as ZDI-CAN-26113 and published advisory ZDI-25-496. Successful exploitation grants the attacker code execution in the context of the current process running IrfanView.
Critical Impact
Attackers who deliver a crafted DXF file can execute arbitrary code on the victim's system with the privileges of the IrfanView process, leading to full host compromise when the user is privileged.
Affected Products
- IrfanView (x86 and x64 builds)
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7254 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7254
Vulnerability Analysis
The CADImage plugin extends IrfanView with support for CAD formats including DXF, the ASCII and binary interchange format used by AutoCAD and other CAD tools. When the plugin parses a DXF file, it consumes structured group codes and associated values that describe entities, headers, and tables. The plugin does not adequately validate these user-controlled fields before using them to drive memory operations, producing a memory corruption condition classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
An attacker who controls the contents of a DXF file can manipulate length fields, indices, or section structures to force out-of-bounds memory access during parsing. The corruption is reachable from the standard image-loading path that IrfanView invokes when a user opens the file. Because IrfanView is a desktop image viewer commonly associated with many file extensions, attackers can rely on routine user behavior, double-clicking an attachment or downloaded file, to trigger the parser.
Root Cause
The root cause is the lack of proper validation of user-supplied data during DXF file parsing inside the CADImage plugin. Untrusted fields drive memory operations without enforcement of buffer boundaries, allowing crafted input to overwrite adjacent memory and influence execution flow.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious DXF file via email attachment, drive-by download, file share, or web link. When the victim opens the file with IrfanView and the CADImage plugin is installed, the parser processes the malformed structures and triggers memory corruption that can be steered into arbitrary code execution within the IrfanView process.
No verified public exploit code is available for this issue. Technical details are described in the Zero Day Initiative Advisory ZDI-25-496.
Detection Methods for CVE-2025-7254
Indicators of Compromise
- DXF files arriving from untrusted email senders, web downloads, or removable media, especially those with unusual sizes or malformed headers.
- IrfanView (i_view32.exe or i_view64.exe) crashes or unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned shortly after opening a CAD file.
- New persistence artifacts (Run keys, scheduled tasks, startup folder entries) created in the same session as a DXF file open event.
- Outbound network connections from the IrfanView process to unfamiliar hosts following file open.
Detection Strategies
- Hunt for process lineage where IrfanView spawns interpreters, scripting hosts, or LOLBins, which is anomalous for an image viewer.
- Inspect file write and module load events from the CADImage plugin DLL for signs of in-memory payload staging.
- Correlate Windows Defender or EDR memory protection events (such as DEP or CFG violations) with recent DXF file access.
Monitoring Recommendations
- Log and alert on opens of .dxf, .dwg, and other CAD extensions on endpoints that do not have a business need for CAD viewing.
- Monitor crash dumps for i_view32.exe and i_view64.exe and route them to triage for exploitation analysis.
- Track plugin DLL versions across the fleet to confirm patch coverage of the CADImage component.
How to Mitigate CVE-2025-7254
Immediate Actions Required
- Update IrfanView and the CADImage plugin to the latest versions available from the vendors and CADSoftTools.
- Remove the CADImage plugin from systems that do not need CAD file support until a fixed version is deployed.
- Block inbound DXF and DWG files at email gateways and web proxies for users outside of engineering and design teams.
- Educate users not to open CAD files from unsolicited or unverified sources.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-496 for vendor coordination status. Apply the latest IrfanView and CADImage plugin releases that address DXF parsing memory safety issues. Validate patch deployment by checking installed plugin versions on each endpoint.
Workarounds
- Uninstall or disable the CADImage plugin by removing its DLL from the IrfanView Plugins directory.
- Disassociate .dxf and .dwg file extensions from IrfanView so they cannot be opened by double-click.
- Run IrfanView under a standard user account with no administrative privileges to limit the impact of successful exploitation.
- Enforce attack surface reduction and exploit protection policies (DEP, ASLR, CFG) on the IrfanView executables.
# Remove the CADImage plugin DLL to disable DXF parsing in IrfanView
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
# Remove .dxf file association (run as administrator)
assoc .dxf=
ftype IrfanView.DXF=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

