CVE-2025-7257 Overview
CVE-2025-7257 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code through malicious DXF files. The flaw resides in the plugin's parser for Drawing Exchange Format (DXF) files, where user-supplied data is not properly validated. An attacker convinces a user to open a crafted DXF file or visit a malicious page hosting one. Successful exploitation runs code in the context of the current IrfanView process. This issue is tracked by the Zero Day Initiative as ZDI-CAN-26126 and mapped to [CWE-119].
Critical Impact
Attackers can achieve arbitrary code execution on Windows systems by delivering a malicious DXF file to a user running the IrfanView CADImage Plugin.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
- IrfanView image viewer (x86 and x64 builds) with the CADImage plugin installed
- Windows workstations using IrfanView to open DXF/CAD files
Discovery Timeline
- 2025-07-21 - CVE-2025-7257 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7257
Vulnerability Analysis
The vulnerability exists inside the CADImage plugin routine that parses DXF files. DXF is a text- or binary-based CAD interchange format containing structured group codes and value pairs. The parser reads attacker-controlled fields from the file and uses them to size or index memory operations without proper bounds enforcement. This produces a memory corruption condition classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). An attacker who controls the malformed fields can influence adjacent memory, corrupt control structures, and redirect execution.
Because IrfanView commonly runs in the interactive user session, successful exploitation executes attacker code with the privileges of the logged-on user. That access is sufficient to drop payloads, harvest credentials from the user profile, or stage lateral movement.
Root Cause
The root cause is missing validation of user-supplied length, offset, or count values read from the DXF file. The plugin trusts these values when performing buffer operations, leading to out-of-bounds access and memory corruption during parsing.
Attack Vector
Exploitation requires user interaction. The victim must open a malicious .dxf file in IrfanView, or open one delivered through a web page, email attachment, or shared drive. No network privileges or authentication are required against the target application. The attack vector is local to the parsing process, but delivery can occur remotely through standard phishing or drive-by download techniques.
No public proof-of-concept or in-the-wild exploitation has been reported. Technical details are available in the Zero Day Initiative Advisory ZDI-25-503.
Detection Methods for CVE-2025-7257
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe
- Crashes of IrfanView with faulting module references to the CADImage plugin DLL when opening DXF files
- DXF files arriving via email, chat, or web downloads from untrusted senders, particularly with abnormal size or malformed group code sections
- New persistence artifacts (Run keys, scheduled tasks) created immediately after a user opened a CAD file
Detection Strategies
- Hunt for process lineage where IrfanView is the parent of a shell, script interpreter, or LOLBin
- Monitor for module load events involving the CADImage plugin followed by anomalous memory allocations or thread creations
- Inspect email and web gateways for .dxf attachments and correlate delivery with subsequent endpoint activity
- Alert on IrfanView process crashes (Windows Error Reporting, event ID 1000) referencing the CADImage DLL
Monitoring Recommendations
- Enable command-line and process creation logging (Sysmon Event ID 1, Windows Event ID 4688) on user workstations
- Forward endpoint telemetry into a central SIEM or data lake for correlation across mail, web, and process events
- Track file-write activity by IrfanView outside of expected image directories
- Maintain a watchlist for users who routinely open CAD content and increase telemetry retention for those endpoints
How to Mitigate CVE-2025-7257
Immediate Actions Required
- Update the IrfanView CADImage Plugin to the latest version released by CADSoftTools that addresses ZDI-25-503
- Remove or disable the CADImage plugin on endpoints that do not require DXF/CAD viewing
- Block inbound .dxf attachments at email gateways for user populations that do not process CAD files
- Instruct users not to open DXF files from untrusted or unexpected sources
Patch Information
Refer to CADSoftTools for the patched CADImage plugin build and to IrfanView for compatible viewer releases. The authoritative technical reference is the Zero Day Initiative Advisory ZDI-25-503. At the time of publication no separate vendor advisory URL was recorded in NVD.
Workarounds
- Uninstall the CADImage plugin from IrfanView installations that do not require DXF support
- Change the default handler for .dxf files to an application that does not use the CADImage parser
- Run IrfanView under a standard (non-administrative) user account to limit post-exploitation impact
- Apply application allowlisting to prevent IrfanView from spawning shells, script hosts, or unsigned binaries
# Windows: remove file association for .dxf so IrfanView is not the default handler
assoc .dxf=
ftype dxffile=
# Optional: block the CADImage plugin DLL from loading via WDAC / AppLocker policy
# (example AppLocker DLL rule fragment - adjust path to your install)
# Path: %ProgramFiles%\IrfanView\Plugins\CADIMAGE.DLL -> Deny
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

