Skip to main content
CVE Vulnerability Database

CVE-2025-7267: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7267 is a remote code execution flaw in Cadsofttools Cadimage that exploits DXF file parsing errors, allowing attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-7267 Overview

CVE-2025-7267 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's DXF file parsing routine and stems from missing validation of user-supplied data. Attackers can leverage the issue to execute arbitrary code in the context of the current user. Exploitation requires the victim to open a malicious DXF file or visit a page that triggers the file handler. The Zero Day Initiative tracked the issue as ZDI-CAN-26179 before publication.

Critical Impact

Successful exploitation allows arbitrary code execution within the IrfanView process, enabling attackers to compromise the victim's account and pivot deeper into the host.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations bundling the CADImage plugin
  • Workstations processing DXF files through IrfanView

Discovery Timeline

  • 2025-07-21 - CVE-2025-7267 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7267

Vulnerability Analysis

The vulnerability sits inside the CADImage plugin's Drawing Exchange Format (DXF) parser. When the plugin processes a crafted DXF file, it reads memory past the end of an allocated buffer. The read primitive can leak adjacent heap data and corrupt control flow when reused by downstream rendering logic. ZDI categorizes the flaw as a local attack requiring user interaction, since the victim must open the malicious file inside IrfanView. The plugin runs in-process with i_view32.exe or i_view64.exe, so any resulting code execution inherits the user's privileges. The EPSS score of 0.22% reflects limited current exploitation telemetry, but DXF is a common interchange format that travels through email and shared drives, which increases social-engineering viability.

Root Cause

The CADImage parser fails to validate length, offset, or record-count fields embedded in DXF group codes before dereferencing them. Because DXF is an ASCII or binary CAD interchange format with variable-length records, missing bounds checks let an attacker steer reads beyond the allocated parsing buffer. CWE-125 captures this class of defect.

Attack Vector

An attacker delivers a malicious .dxf file through email, a download link, or shared storage. When a user opens the file in IrfanView with the CADImage plugin installed, the parser triggers the out-of-bounds read. Chained with a memory-disclosure-to-control-flow primitive, the issue yields arbitrary code execution at the user's privilege level.

No public proof-of-concept code is available. Technical specifics are documented in the Zero Day Initiative Advisory ZDI-25-515.

Detection Methods for CVE-2025-7267

Indicators of Compromise

  • Unexpected crashes or Windows Error Reporting events tied to i_view32.exe or i_view64.exe while opening DXF files
  • DXF files with anomalous group code structures, oversized header records, or truncated section markers arriving via email or file shares
  • Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawning from IrfanView

Detection Strategies

  • Hunt for IrfanView processes loading the CADImage plugin DLL and subsequently spawning interpreter or scripting child processes
  • Correlate file-open telemetry for .dxf extensions with downstream network connections originating from the IrfanView process
  • Inspect crash dumps for access violations in CADImage parser frames to identify exploitation attempts

Monitoring Recommendations

  • Forward endpoint process, image-load, and crash telemetry to a centralized analytics platform for cross-host correlation
  • Alert on DXF attachments delivered to users who routinely operate IrfanView, especially from external senders
  • Track installed versions of IrfanView and the CADImage plugin across the fleet to identify unpatched hosts

How to Mitigate CVE-2025-7267

Immediate Actions Required

  • Inventory endpoints running IrfanView with the CADImage plugin and restrict DXF handling on hosts that cannot be patched promptly
  • Block or quarantine inbound .dxf attachments at the mail gateway until vendor updates are validated
  • Educate users who handle CAD content about the risk of opening untrusted DXF files

Patch Information

Review the Zero Day Initiative Advisory ZDI-25-515 and the CADSoftTools and IrfanView project pages for the latest CADImage plugin release. Upgrade IrfanView and the CADImage plugin to versions that address the DXF parsing flaw on both x86 and x64 builds.

Workarounds

  • Uninstall or disable the CADImage plugin if DXF support is not required for business workflows
  • Remove the .dxf file association from IrfanView and route CAD review through a hardened CAD application in a sandboxed environment
  • Apply application allowlisting or Windows Defender Application Control to prevent IrfanView from spawning interpreter processes
bash
# Configuration example: remove the CADImage plugin DLL from an IrfanView install
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"
# Verify no remaining DXF handler registration
reg query "HKCR\.dxf" /s

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.