CVE-2025-7256 Overview
CVE-2025-7256 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw exists in the plugin's parsing logic for Drawing Exchange Format (DXF) files. Attackers can trigger the vulnerability by convincing a user to open a crafted DXF file or visit a malicious page that delivers one. Successful exploitation allows arbitrary code execution in the context of the IrfanView process. The vulnerability is tracked by the Zero Day Initiative as ZDI-CAN-26119 and disclosed under advisory ZDI-25-502. The weakness is classified as [CWE-119] (improper restriction of operations within the bounds of a memory buffer).
Critical Impact
Attackers can achieve arbitrary code execution under the current user account by delivering a malicious DXF file through phishing or drive-by download.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86)
- CADSoftTools CADImage plugin for IrfanView (x64)
- IrfanView image viewer (x86 and x64) installations bundling the CADImage plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7256 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7256
Vulnerability Analysis
The vulnerability resides in the CADImage plugin module that IrfanView loads to render CAD-format images. When the plugin parses a DXF file, it fails to validate user-supplied fields embedded in the file before using them in memory operations. The resulting memory corruption is reachable through normal file-open workflows, including thumbnail rendering and browser-launched file associations. Because IrfanView runs in user context, code executed through this flaw inherits the privileges of the logged-on user.
The ZDI advisory ZDI-25-502 notes that user interaction is required: the victim must open a malicious DXF file or visit a page that triggers IrfanView to process one. No authentication or network privilege is required from the attacker.
Root Cause
The root cause is improper validation of values inside the DXF structure during parsing. DXF is an ASCII or binary CAD interchange format containing group codes, entity records, and length-prefixed data blocks. When the CADImage parser consumes these structures, it uses attacker-controlled values to drive memory accesses without bounds checks, producing a memory corruption condition consistent with [CWE-119]. This primitive is sufficient to corrupt control data and pivot execution.
Attack Vector
The attack vector is local file handling combined with required user interaction. A typical attack chain delivers the malicious .dxf file by email attachment, web download, or shared storage. When the user opens the file in IrfanView, or any workflow that invokes the CADImage plugin, the parsing flaw triggers and the attacker's payload executes. Drive-by scenarios are possible where a browser hands a CAD file to IrfanView through file associations.
No public proof-of-concept exploit is listed in Exploit-DB at the time of publication. The vulnerability is not present on the CISA Known Exploited Vulnerabilities list.
Detection Methods for CVE-2025-7256
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning command shells, powershell.exe, or scripting hosts after a DXF file is opened
- Crashes or Windows Error Reporting events referencing CADImage.dll or related CADSoftTools modules
- DXF files delivered by email or downloaded from untrusted web origins, particularly those exceeding typical CAD file sizes or containing unusual group code sequences
- Outbound network connections initiated by the IrfanView process shortly after image rendering
Detection Strategies
- Monitor process creation telemetry for IrfanView spawning interpreters, LOLBins, or unsigned binaries from user-writable paths
- Inspect module load events for CADImage.dll followed by access violations or exception handler invocations
- Apply YARA or content inspection rules at the email and web gateway to flag DXF attachments from external senders
- Correlate file-open events on .dxf extensions with subsequent privilege-sensitive activity such as registry persistence writes or scheduled task creation
Monitoring Recommendations
- Enable detailed image-load and process-creation auditing on workstations where IrfanView is installed
- Forward endpoint telemetry, including crash dumps, into a centralized analytics platform for retrospective hunting
- Track the population of hosts that retain vulnerable CADImage plugin versions until patching is confirmed
How to Mitigate CVE-2025-7256
Immediate Actions Required
- Update the IrfanView CADImage plugin to the latest version published by CADSoftTools as referenced in ZDI-25-502
- Remove the CADImage plugin from systems that do not require CAD file viewing, reducing the available attack surface in IrfanView
- Block inbound DXF attachments at email gateways and quarantine DXF files arriving from untrusted external sources
- Restrict the file association for .dxf so that double-click actions do not automatically invoke IrfanView for non-administrative users
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-502 for vendor coordination details. Apply the most recent CADImage plugin release from CADSoftTools and the latest IrfanView build. Confirm that the updated plugin DLL replaces prior copies in all IrfanView installation directories, including portable installs.
Workarounds
- Uninstall or disable the CADImage plugin on endpoints that do not need DXF rendering
- Disallow execution of IrfanView for standard users through application control policies such as Windows Defender Application Control or AppLocker until patches are deployed
- Open untrusted DXF files only inside an isolated virtual machine or sandbox with no network access
# Example AppLocker-style restriction logic (conceptual)
# Block IrfanView from launching when invoked with .dxf arguments until patched
Deny: i_view32.exe, i_view64.exe
Condition: CommandLine contains ".dxf"
Scope: Standard users
Until: CADImage plugin version >= fixed release per ZDI-25-502
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

