CVE-2025-7276 Overview
CVE-2025-7276 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code through malicious DXF files. The flaw exists in the plugin's DXF file parser, which fails to properly validate user-supplied data before processing. Attackers exploit the issue by convincing users to open a crafted DXF file or visit a malicious page that delivers one. Successful exploitation runs code in the context of the current user process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26208 and tracks to weakness class [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Attackers can achieve arbitrary code execution on systems running vulnerable versions of the IrfanView CADImage Plugin by tricking a user into opening a malicious DXF file.
Affected Products
- CadSoftTools CADImage Plugin for IrfanView (x86)
- CadSoftTools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations using the CADImage Plugin
Discovery Timeline
- 2025-07-21 - CVE-2025-7276 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7276
Vulnerability Analysis
The vulnerability resides in the DXF file parsing logic of the CADImage Plugin used by IrfanView. DXF is the Drawing Exchange Format developed by Autodesk for representing CAD drawings as structured text or binary records. When the plugin parses a malformed DXF file, it processes attacker-controlled fields without applying adequate bounds checks. This results in a memory corruption condition that can be steered to control program execution. Because IrfanView loads the plugin in-process, exploitation grants code execution at the privilege level of the user running IrfanView.
Root Cause
The root cause is improper validation of user-supplied data during DXF parsing, classified under [CWE-119]. Specific length or count fields embedded in a malicious DXF file are trusted without verification against destination buffer sizes. A crafted record can therefore corrupt adjacent memory structures, function pointers, or control data used later by the plugin.
Attack Vector
Exploitation requires user interaction. The target must open a malicious DXF file in IrfanView with the CADImage Plugin installed, or visit a web page that delivers such a file through a download or file-association handler. The attack vector is local with low complexity and no required privileges. Phishing campaigns delivering CAD attachments to engineering, manufacturing, or architecture environments are a likely delivery path.
No public proof-of-concept code is available. The Zero Day Initiative advisory ZDI-25-523 describes the parsing flaw without releasing exploitation details. See the Zero Day Initiative Advisory ZDI-25-523 for the technical disclosure.
Detection Methods for CVE-2025-7276
Indicators of Compromise
- Unexpected child processes spawned from i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- DXF files arriving as email attachments or downloads from untrusted sources, especially with unusually large or malformed header sections.
- Crash dumps or Windows Error Reporting events referencing the CADImage Plugin module loaded inside the IrfanView process.
Detection Strategies
- Monitor process-creation telemetry for IrfanView processes opening DXF files and immediately spawning interactive shells or network utilities.
- Apply file-content inspection on incoming DXF attachments at the email gateway, flagging files with malformed group codes or oversized entity records.
- Hunt for memory-protection violations and access violations in IrfanView processes using endpoint logging and Windows Error Reporting.
Monitoring Recommendations
- Inventory endpoints that have IrfanView and the CADImage Plugin installed and prioritize them for telemetry coverage.
- Alert on outbound network connections initiated by i_view32.exe or i_view64.exe shortly after a DXF file is opened.
- Correlate user-opened CAD files with subsequent unusual process trees to identify post-exploitation activity.
How to Mitigate CVE-2025-7276
Immediate Actions Required
- Update the IrfanView CADImage Plugin to the latest version provided by CadSoftTools as soon as a patched build is available.
- Restrict DXF file handling to trusted sources and block DXF attachments from untrusted senders at the email gateway.
- Remove the CADImage Plugin on endpoints that do not require CAD file viewing.
Patch Information
No vendor advisory URL is listed in the NVD entry at this time. Refer to the Zero Day Initiative Advisory ZDI-25-523 for coordinated disclosure details and check the CadSoftTools and IrfanView download pages for updated plugin builds before deploying.
Workarounds
- Uninstall the CADImage Plugin until an updated version is verified and deployed.
- Configure file-association policies so DXF files do not open in IrfanView by default on user workstations.
- Run IrfanView under a standard user account and enforce application-control policies to limit the impact of in-process code execution.
# Example PowerShell check for IrfanView and CADImage Plugin presence
Get-ChildItem -Path 'C:\Program Files\IrfanView\Plugins' -Filter 'CADIMAGE.DLL' -ErrorAction SilentlyContinue
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -like '*IrfanView*' -or $_.DisplayName -like '*CADImage*' } |
Select-Object DisplayName, DisplayVersion, Publisher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

