Skip to main content
CVE Vulnerability Database

CVE-2025-7278: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7278 is a remote code execution flaw in Cadsofttools Cadimage affecting DXF file parsing that enables attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7278 Overview

CVE-2025-7278 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the DXF file parsing logic and allows attackers to execute arbitrary code in the context of the current user process. Exploitation requires user interaction, where the target must open a crafted DXF file or visit a malicious page that delivers one. The issue was reported through Trend Micro's Zero Day Initiative under tracking identifier ZDI-CAN-26211 and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Successful exploitation yields arbitrary code execution under the privileges of the user running IrfanView, enabling full compromise of the affected workstation.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
  • IrfanView (x86 and x64 builds) with the CADImage plugin installed
  • Windows workstations processing DXF files through IrfanView

Discovery Timeline

  • 2025-07-21 - CVE-2025-7278 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7278

Vulnerability Analysis

The vulnerability exists in the CADImage plugin component that parses Drawing Exchange Format (DXF) files inside IrfanView. DXF is an ASCII or binary CAD interchange format with nested entity structures and variable-length fields. The plugin fails to properly validate user-supplied data within DXF records before using it in memory operations. An attacker who crafts malformed entity fields can trigger a memory corruption condition during parsing. This corruption is reachable from a local file open or a browser-driven file handoff, satisfying the user-interaction requirement.

Because IrfanView is a widely deployed image and document viewer, attackers can deliver weaponized .dxf files through phishing attachments, drive-by download chains, or file shares. Once the user opens the file, the plugin processes the malformed structure and the corruption primitive is converted into arbitrary code execution.

Root Cause

The root cause is insufficient bounds checking on attacker-controlled fields within DXF group codes. The parser trusts size, count, or offset values supplied in the file and operates on memory buffers without enforcing the buffer's actual capacity. This pattern aligns with [CWE-119] and produces an exploitable write or read primitive depending on the affected code path.

Attack Vector

The attack vector is local file processing with required user interaction. The attacker sends or hosts a malicious DXF file. The victim opens the file with IrfanView, or the file is opened automatically by an associated handler. The CADImage plugin parses the file, the memory corruption is triggered, and the attacker gains code execution in the IrfanView process context. No elevated privileges are required to launch the attack, and confidentiality, integrity, and availability are all impacted.

The vulnerability mechanism is described in the Zero Day Initiative Advisory ZDI-25-526. No public proof-of-concept exploit is currently available.

Detection Methods for CVE-2025-7278

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe following the open of a .dxf file
  • Crashes or Windows Error Reporting events referencing the CADImage plugin DLL during DXF processing
  • Inbound .dxf attachments from untrusted senders, particularly those bypassing standard CAD workflow channels
  • Outbound network connections initiated by the IrfanView process shortly after file open

Detection Strategies

  • Monitor process-creation telemetry for IrfanView spawning interpreters, scripting hosts, or LOLBins
  • Inspect file-open events for .dxf extensions handled by IrfanView on endpoints that do not perform CAD work
  • Alert on unsigned or anomalous module loads inside the IrfanView process address space
  • Hunt for IrfanView crashes correlated with newly delivered DXF files in mail or download directories

Monitoring Recommendations

  • Forward endpoint process, module-load, and file-write telemetry to a centralized data lake for correlation across users
  • Track plugin DLL versions on endpoints to identify hosts still running vulnerable CADImage builds
  • Apply behavioral analytics to flag IrfanView performing network egress or persistence actions, which are not part of its normal behavior

How to Mitigate CVE-2025-7278

Immediate Actions Required

  • Inventory all endpoints with IrfanView installed and identify which have the CADImage plugin loaded
  • Restrict or remove the CADImage plugin on systems that do not require DXF or CAD file viewing
  • Block inbound .dxf attachments at the email gateway for users outside engineering or design teams
  • Train users to avoid opening unsolicited CAD files and to validate sources before opening DXF content

Patch Information

No vendor patch is referenced in the NVD entry or the ZDI advisory at the time of publication. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-526 and the CADSoftTools and IrfanView vendor pages for an updated CADImage plugin release. Once a fixed build is available, deploy it across all affected x86 and x64 installations.

Workarounds

  • Uninstall the CADImage plugin until a patched version is released
  • Remove file association for .dxf from IrfanView and route CAD files to a dedicated, sandboxed viewer
  • Run IrfanView under a low-privilege account and apply application allowlisting to limit post-exploitation impact
  • Use attachment sandboxing or detonation for inbound DXF files in business email flows
bash
# Remove the DXF file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.dxf" /f
reg delete "HKCU\Software\Classes\IrfanView.DXF" /f

# List installed IrfanView plugins to confirm CADImage removal
dir "C:\Program Files\IrfanView\Plugins\CADImage*"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.