CVE-2025-7271 Overview
CVE-2025-7271 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CadSoftTools. The flaw resides in the plugin's DXF file parser and stems from improper validation of user-supplied data [CWE-119]. Attackers can craft a malicious DXF file that, when opened by a user in IrfanView, triggers memory corruption and arbitrary code execution in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26193.
Critical Impact
Successful exploitation grants attackers code execution under the user's privileges, enabling persistence, data theft, and lateral movement from a single opened DXF file.
Affected Products
- IrfanView (x86 and x64 builds with the CADImage plugin installed)
- CadSoftTools CADImage plugin for IrfanView (x86)
- CadSoftTools CADImage plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7271 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7271
Vulnerability Analysis
The vulnerability exists in the DXF file parsing logic of the CADImage plugin distributed for IrfanView. DXF (Drawing Exchange Format) is an AutoCAD-derived vector format that encodes geometric entities, layers, and metadata through tagged ASCII or binary records. The plugin processes these records to render CAD drawings inside IrfanView. The parser fails to properly validate fields supplied within a DXF file before using them in memory operations, producing a memory corruption condition mapped to [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
An attacker who can deliver a malicious DXF file, through a web page download, email attachment, or shared drive, can corrupt memory inside the IrfanView process. The corruption permits hijacking of program control flow and execution of attacker-supplied code at the privilege level of the current user. Exploitation requires user interaction: the victim must open the file or visit a page that triggers its opening.
Root Cause
The root cause is the absence of bounds and structural validation on attacker-controlled fields parsed from the DXF stream. When the plugin reads length or index values from the file, it trusts those values when allocating, copying, or indexing memory buffers, leading to an out-of-bounds write or corrupted heap metadata.
Attack Vector
The attack vector is local in CVSS terms because it requires file opening, but delivery is trivially remote. Common delivery channels include drive-by downloads, phishing emails carrying .dxf attachments, and malicious file-sharing sites. The CVSS vector AV:L/AC:L/PR:N/UI:R reflects local execution with required user interaction and no privileges.
No verified public proof-of-concept code is available. Technical details are referenced in the Zero Day Initiative Advisory ZDI-25-520.
Detection Methods for CVE-2025-7271
Indicators of Compromise
- IrfanView (i_view32.exe or i_view64.exe) spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe shortly after opening a .dxf file.
- Crash dumps or Windows Error Reporting events for IrfanView referencing the CADIMAGE.DLL module.
- Inbound .dxf files from untrusted email senders or web downloads landing in user profile directories.
Detection Strategies
- Hunt for process lineage where IrfanView is the parent of any scripting host, LOLBin, or network-capable binary.
- Monitor file-system telemetry for .dxf files written to Downloads, Temp, or email-client attachment paths followed by an IrfanView execution event.
- Correlate access violation exceptions in IrfanView with subsequent outbound network connections from the same process.
Monitoring Recommendations
- Enable command-line and module-load logging on endpoints that have IrfanView installed, and forward events to your SIEM.
- Track loaded modules to identify hosts running the CADImage plugin so patch coverage can be measured.
- Alert on any IrfanView crash followed within seconds by new persistence artifacts such as registry Run keys or scheduled tasks.
How to Mitigate CVE-2025-7271
Immediate Actions Required
- Inventory all systems where IrfanView is installed and identify which have the CADImage plugin deployed.
- Update the CADImage plugin and IrfanView to the latest versions released by CadSoftTools and IrfanView after the ZDI-25-520 advisory.
- Block inbound .dxf attachments at the email gateway for users who do not require CAD file handling.
- Restrict execution of IrfanView through application control policies on high-risk user populations.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-520 and the CadSoftTools product page for the fixed CADImage plugin build. No specific vendor advisory URL was published in NVD at disclosure; administrators should obtain the most recent plugin installer directly from CadSoftTools.
Workarounds
- Uninstall or disable the CADImage plugin if DXF rendering is not required, by removing the plugin DLL from the IrfanView Plugins directory.
- Remove the file association for .dxf from IrfanView so the file format is not opened by default.
- Run IrfanView under a standard user account with Attack Surface Reduction rules enabled to limit post-exploitation impact.
# Example: remove the CADImage plugin from a managed IrfanView install
set IV_DIR=C:\Program Files\IrfanView\Plugins
del "%IV_DIR%\CADIMAGE.DLL"
del "%IV_DIR%\CADIMAGE.INI"
# Optional: remove DXF file association via registry
reg delete "HKCR\.dxf" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

