CVE-2025-7260 Overview
CVE-2025-7260 is an out-of-bounds write vulnerability [CWE-787] in the IrfanView CADImage Plugin. The flaw resides in the parser that processes Drawing Exchange Format (DXF) files. Attackers can trigger the issue by convincing a user to open a crafted DXF file or visit a malicious page that delivers one. Successful exploitation allows arbitrary code execution in the context of the IrfanView process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26129 and tracked publicly as ZDI-25-508.
Critical Impact
A crafted DXF file processed by the IrfanView CADImage Plugin enables remote attackers to execute arbitrary code with the privileges of the logged-in user.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with the CADImage Plugin installed
- Any Windows host where the CADImage Plugin handles DXF files via IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7260 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7260
Vulnerability Analysis
The vulnerability stems from improper validation of user-supplied data during DXF file parsing inside the CADImage Plugin. The parser computes a write offset or buffer length from attacker-controlled fields without verifying that the destination buffer can hold the data. As a result, parsing a crafted DXF file produces a write past the end of an allocated buffer. Attackers who control adjacent memory can corrupt object pointers, function pointers, or virtual table entries used later by IrfanView.
Exploitation requires user interaction. The target must open a malicious DXF file or load one through a page that triggers IrfanView. The plugin executes inside the IrfanView process, so code runs with the privileges of the current user. Mapped to MITRE ATT&CK, this aligns with T1203 (Exploitation for Client Execution) and T1204.002 (User Execution: Malicious File).
Root Cause
The parser lacks bounds checks on length and offset fields embedded in DXF records. CADImage trusts attacker-controlled values when sizing or indexing the destination buffer, producing the out-of-bounds write classified under [CWE-787].
Attack Vector
Delivery typically occurs through phishing email attachments, drive-by downloads, or shared file repositories that contain a crafted .dxf file. The user opens the file in IrfanView, the CADImage Plugin parses it, and the malformed record triggers the memory corruption.
No verified public proof-of-concept code is available. Technical details are described in the Zero Day Initiative Advisory ZDI-25-508.
Detection Methods for CVE-2025-7260
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly cmd.exe, powershell.exe, or rundll32.exe
- IrfanView process crashes with access violations after opening .dxf files
- DXF files arriving from untrusted email senders, shared drives, or web downloads
- Suspicious outbound network connections from the IrfanView process following file open events
Detection Strategies
- Hunt for IrfanView processes loading CADImage.dll followed by anomalous module loads or shellcode-like memory regions
- Alert on IrfanView spawning interpreters, scripting hosts, or LOLBins (mshta.exe, regsvr32.exe, wscript.exe)
- Correlate DXF file open events with subsequent persistence operations such as Run-key writes or scheduled task creation
Monitoring Recommendations
- Enable command-line and module-load logging on workstations that handle CAD content
- Forward Windows Defender Exploit Guard or equivalent crash events for IrfanView to a central log store
- Track DXF files traversing email gateways and web proxies, and quarantine those from untrusted sources
How to Mitigate CVE-2025-7260
Immediate Actions Required
- Inventory endpoints running IrfanView and identify those with the CADImage Plugin installed
- Remove or disable the CADImage Plugin on hosts that do not require DXF support
- Block inbound .dxf attachments at email and web gateways until patching is complete
- Train users to avoid opening DXF files from untrusted sources
Patch Information
No vendor advisory URL is published in the NVD record at this time. Administrators should consult the Zero Day Initiative Advisory ZDI-25-508 and the CADSoftTools and IrfanView download pages for the latest CADImage Plugin release that addresses the out-of-bounds write.
Workarounds
- Uninstall the CADImage Plugin from IrfanView on hosts that do not need CAD viewing
- Remove the .dxf file association from IrfanView so the plugin is not invoked automatically
- Run IrfanView under a least-privilege user account and enforce application control policies that prevent it from spawning interpreters
- Apply attack surface reduction rules that block child process creation from image viewer applications
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

