CVE-2025-7272 Overview
CVE-2025-7272 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw resides in the plugin's parser for Drawing Exchange Format (DXF) files. Attackers can trigger arbitrary code execution by enticing a user to open a crafted DXF file or visit a page that delivers one. The issue is tracked as ZDI-CAN-26198 and classified under [CWE-119] Improper Restriction of Operations within the Bounds of a Memory Buffer.
Critical Impact
Successful exploitation grants code execution in the context of the IrfanView process on the targeted Windows endpoint, enabling malware installation, credential theft, or lateral movement.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) installations using the CADImage Plugin
- Windows endpoints opening DXF files through the affected plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7272 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7272
Vulnerability Analysis
The CADImage Plugin extends IrfanView with parsers for computer-aided design formats, including DXF. DXF is an ASCII or binary container format used to exchange CAD drawings. The plugin processes structured records describing entities, blocks, and tables when loading a file.
The vulnerability stems from missing validation of attacker-controlled fields within a DXF document. When the plugin reads malformed length or offset values, it manipulates memory outside the bounds of an allocated buffer. This memory corruption condition is sufficient to redirect execution into attacker-controlled data. The attacker gains code execution at the privilege level of the IrfanView process.
Exploitation requires user interaction. The victim must open the malicious DXF file with IrfanView or trigger the parser through a browser handler associated with the plugin. The attack vector is local because file delivery and execution occur on the user's machine, though initial delivery commonly uses email, web downloads, or chat platforms.
Root Cause
The root cause is improper validation of size or index fields embedded in DXF records. The CADImage parser trusts attacker-supplied values when calculating buffer operations, allowing an out-of-bounds memory write that corrupts adjacent structures. CWE-119 describes this class of defect.
Attack Vector
An attacker crafts a DXF file containing manipulated length or pointer fields. The attacker delivers the file through phishing, a malicious website, a shared archive, or a file-sharing service. When the user opens the file in IrfanView with the CADImage Plugin installed, the parser corrupts memory and transfers control to attacker-supplied shellcode.
No verified proof-of-concept is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-521 for additional technical context.
Detection Methods for CVE-2025-7272
Indicators of Compromise
- DXF files delivered from untrusted email senders, downloads, or messaging platforms that are opened by i_view32.exe or i_view64.exe
- Child processes spawned by IrfanView such as cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe
- Unexpected outbound network connections originating from the IrfanView process after a DXF file is opened
- Crash dumps or Windows Error Reporting events referencing CADImage.dll or DXF parsing routines
Detection Strategies
- Hunt for IrfanView processes loading the CADImage Plugin and subsequently writing executables or scripts to disk
- Alert on DXF file opens followed by process injection, token manipulation, or memory allocation patterns consistent with shellcode execution
- Inspect endpoint telemetry for the parent-child relationship i_view*.exe to interactive shells or living-off-the-land binaries
Monitoring Recommendations
- Forward IrfanView process telemetry, file access events, and module loads to a central data lake for retrospective hunting
- Track installations of the CADImage Plugin across managed Windows endpoints and reconcile against approved software inventories
- Monitor email and web gateways for inbound DXF attachments and apply sandbox analysis before delivery
SentinelOne Singularity Endpoint uses behavioral AI to identify post-exploitation activity such as anomalous child processes and memory injection originating from document parsers, supporting identification of attacks that leverage CVE-2025-7272.
How to Mitigate CVE-2025-7272
Immediate Actions Required
- Update the IrfanView CADImage Plugin to the latest version published by CADSoftTools
- Remove the CADImage Plugin from IrfanView installations that do not require DXF or CAD support
- Block DXF file attachments at email and web gateways pending verification of patch deployment
- Educate users on the risk of opening unsolicited CAD files received through email or messaging platforms
Patch Information
CADSoftTools maintains the CADImage Plugin distribution. Administrators should download the most recent plugin build from the vendor and replace existing DLLs in the IrfanView Plugins directory. Consult the Zero Day Initiative Advisory ZDI-25-521 for the latest remediation status.
Workarounds
- Uninstall or remove CADImage.dll from the IrfanView Plugins directory if CAD support is not required
- Disassociate the .dxf extension from IrfanView in Windows file associations to prevent automatic parsing
- Restrict execution of IrfanView with application allowlisting and run it under a low-privilege user account
# Remove the CADImage plugin from a standard IrfanView installation
del "C:\Program Files\IrfanView\Plugins\CADImage.dll"
del "C:\Program Files (x86)\IrfanView\Plugins\CADImage.dll"
# Disassociate DXF from IrfanView (run as administrator)
assoc .dxf=
ftype IrfanView.DXF=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

