Skip to main content
CVE Vulnerability Database

CVE-2025-7273: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7273 is a remote code execution flaw in Cadsofttools Cadimage affecting DXF file parsing that allows attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-7273 Overview

CVE-2025-7273 is an out-of-bounds read vulnerability in the IrfanView CADImage Plugin. The flaw resides in the plugin's DXF file parsing logic and stems from insufficient validation of user-supplied data. Attackers can exploit the issue to execute arbitrary code in the context of the current process. Exploitation requires the target to open a malicious DXF file or visit a page that delivers one. The vulnerability was reported to the vendor through the Zero Day Initiative under the identifier ZDI-CAN-26202 and disclosed as ZDI-25-519.

Critical Impact

Successful exploitation grants arbitrary code execution in the context of the user running IrfanView, enabling attackers to install malware, steal data, or pivot deeper into the environment.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x64 and x86 builds)
  • IrfanView (x64)
  • IrfanView (x86)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7273 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7273

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in the CADImage plugin distributed with IrfanView. The CADImage plugin extends IrfanView to render CAD formats, including AutoCAD Drawing Exchange Format (DXF) files. When the plugin parses a crafted DXF file, it reads beyond the end of an allocated buffer. Attackers can leverage this memory corruption primitive to disclose adjacent memory or manipulate control flow, resulting in arbitrary code execution within the IrfanView process. Exploitation requires user interaction, but IrfanView is commonly registered as a default handler for image and CAD-adjacent files, increasing the odds of accidental triggering.

Root Cause

The root cause is missing validation of length or offset fields inside DXF file structures before the plugin reads from a heap-allocated buffer. Because the parser trusts attacker-controlled sizes, it dereferences memory past the allocation boundary. This behavior is captured under [CWE-125: Out-of-bounds Read].

Attack Vector

The attack vector is local file processing with required user interaction. An attacker delivers a malicious DXF file through email, a compromised website, a shared drive, or a drive-by download. When the user opens the file in IrfanView with the CADImage plugin installed, parsing triggers the out-of-bounds read and enables code execution. No elevated privileges are needed before exploitation, and the attacker gains the privileges of the current user.

No public proof-of-concept code has been released for CVE-2025-7273. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-519.

Detection Methods for CVE-2025-7273

Indicators of Compromise

  • Unexpected i_view64.exe or i_view32.exe processes spawning child processes such as cmd.exe, powershell.exe, or rundll32.exe immediately after opening a DXF file.
  • DXF files arriving through email attachments, browser downloads, or removable media that reference the CADImage plugin path (Plugins\CADIMAGE.DLL).
  • Crash dumps of IrfanView referencing access violations inside CADIMAGE.DLL during DXF parsing.

Detection Strategies

  • Monitor endpoint telemetry for IrfanView loading CADIMAGE.DLL followed by process injection, suspicious network beacons, or persistence writes.
  • Inspect file-open events for DXF extensions handled by IrfanView and correlate with subsequent Windows Error Reporting (WER) crash events in CADIMAGE.DLL.
  • Deploy YARA rules that flag malformed DXF section headers with oversized GROUP CODE length fields inconsistent with the file body.

Monitoring Recommendations

  • Alert on new or unmanaged installations of the CADImage plugin across the fleet, particularly on developer and engineering workstations.
  • Log and review command-line arguments for IrfanView invocations originating from mail clients, browsers, or archive extractors.
  • Track outbound connections initiated by the IrfanView process, which should rarely make network calls during normal image viewing.

How to Mitigate CVE-2025-7273

Immediate Actions Required

  • Inventory all endpoints running IrfanView and identify systems with the CADImage plugin installed.
  • Upgrade IrfanView and the CADImage plugin to the latest versions provided by CADSoftTools and IrfanView once a patched release is available.
  • Restrict DXF file handling to trusted sources and block DXF attachments at the email gateway where feasible.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-519 for vendor coordination status and remediation guidance. Users should apply the latest CADImage plugin and IrfanView releases from the official vendor sites. No vendor advisory URL is listed in the NVD record at the time of publication.

Workarounds

  • Uninstall the CADImage plugin from IrfanView on endpoints that do not require DXF or CAD file rendering.
  • Remove IrfanView as the default handler for DXF files and disassociate the .dxf extension from the application.
  • Apply application control policies to block execution of CADIMAGE.DLL on systems without a business need for CAD file viewing.
bash
# Example: Remove CADImage plugin DLL from an IrfanView installation on Windows
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"

# Example: Remove the .dxf file association for the current user
reg delete "HKCU\Software\Classes\.dxf" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.