CVE-2025-7269 Overview
CVE-2025-7269 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin that allows remote attackers to execute arbitrary code on affected installations. The flaw resides in the parser for Drawing Exchange Format (DXF) files and stems from missing validation of user-supplied data [CWE-125]. Attackers can leverage the read past the end of an allocated buffer to execute code in the context of the current process. Exploitation requires user interaction, such as opening a crafted DXF file or visiting a malicious page that delivers one. The Zero Day Initiative tracked the issue as ZDI-CAN-26188 and published advisory ZDI-25-517.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the user running IrfanView, enabling full compromise of the local user account.
Affected Products
- CadSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) with the CADImage plugin installed
- Windows systems where users open untrusted DXF files in IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7269 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7269
Vulnerability Analysis
The vulnerability resides in the CADImage plugin component that parses DXF files for IrfanView. DXF is an ASCII or binary CAD interchange format developed by Autodesk to represent vector drawing data. The plugin reads structured records from the file and uses fields from those records to determine how much data to consume from internal buffers. When a malformed DXF file supplies length or index fields that the parser does not validate, the plugin reads beyond the bounds of the allocated buffer.
This out-of-bounds read [CWE-125] leaks adjacent process memory into parsing logic and corrupts subsequent control flow. An attacker who shapes the surrounding heap layout can convert the disclosure into arbitrary code execution within the IrfanView process. Because the IrfanView process runs at the privilege level of the invoking user, the attacker inherits those permissions.
Root Cause
The root cause is missing bounds validation on attacker-controlled fields parsed from the DXF input. The plugin trusts size or offset values embedded in the file and reads from the buffer without confirming the values fall within the allocated region. CWE-125 (Out-of-bounds Read) characterizes this class of defect.
Attack Vector
Exploitation requires the victim to open a malicious DXF file in IrfanView or to load a page that triggers DXF handling through file association or drag-and-drop. The attack surface is local file processing, but delivery typically occurs over the web, email attachments, or shared drives. No authentication is required on the target system, and the attacker only needs the user to open the crafted file. For technical specifics, see the Zero Day Initiative Advisory ZDI-25-517.
Detection Methods for CVE-2025-7269
Indicators of Compromise
- DXF files received from untrusted sources with unusually large or malformed section headers
- Unexpected child processes spawned by i_view32.exe or i_view64.exe such as cmd.exe, powershell.exe, or rundll32.exe
- Crash reports or Windows Error Reporting entries referencing the CADImage plugin module during DXF processing
- Outbound network connections initiated by the IrfanView process shortly after opening a CAD file
Detection Strategies
- Monitor process creation events where IrfanView is the parent of script interpreters or LOLBins
- Inspect file-open telemetry for DXF extensions opened from temporary directories, browser download folders, or email attachment caches
- Hunt for IrfanView process crashes correlated with recently opened DXF or DWG files
Monitoring Recommendations
- Enable command-line and image-load auditing on endpoints that have IrfanView installed
- Forward endpoint process telemetry to a centralized analytics platform and alert on IrfanView spawning unexpected children
- Track installations of the CADImage plugin across the fleet to scope exposure
How to Mitigate CVE-2025-7269
Immediate Actions Required
- Inventory endpoints with IrfanView and the CADImage plugin installed and prioritize them for remediation
- Block or quarantine inbound DXF files from external email senders at the mail gateway until a fix is applied
- Instruct users to avoid opening DXF files from untrusted sources in IrfanView
Patch Information
At the time of NVD publication, no vendor patch URL is listed in the CVE record. Administrators should consult CadSoftTools and IrfanView vendor channels and the Zero Day Initiative Advisory ZDI-25-517 for current fix availability and update to the latest CADImage plugin and IrfanView release once published.
Workarounds
- Uninstall the CADImage plugin from IrfanView on systems that do not require CAD file viewing
- Remove DXF and related CAD extensions from IrfanView file associations to prevent accidental opening
- Run IrfanView under a standard user account with no administrative privileges and enforce application allow-listing to limit downstream execution
# Example: remove the CADImage plugin DLL from an IrfanView install (run as admin)
set IV_DIR="C:\Program Files\IrfanView\Plugins"
del /f /q %IV_DIR%\CADIMAGE.DLL
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

