CVE-2025-7278 Overview
CVE-2025-7278 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the DXF file parsing logic and allows attackers to execute arbitrary code in the context of the current user process. Exploitation requires user interaction, where the target must open a crafted DXF file or visit a malicious page that delivers one. The issue was reported through Trend Micro's Zero Day Initiative under tracking identifier ZDI-CAN-26211 and is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Successful exploitation yields arbitrary code execution under the privileges of the user running IrfanView, enabling full compromise of the affected workstation.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64 builds)
- IrfanView (x86 and x64 builds) with the CADImage plugin installed
- Windows workstations processing DXF files through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7278 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7278
Vulnerability Analysis
The vulnerability exists in the CADImage plugin component that parses Drawing Exchange Format (DXF) files inside IrfanView. DXF is an ASCII or binary CAD interchange format with nested entity structures and variable-length fields. The plugin fails to properly validate user-supplied data within DXF records before using it in memory operations. An attacker who crafts malformed entity fields can trigger a memory corruption condition during parsing. This corruption is reachable from a local file open or a browser-driven file handoff, satisfying the user-interaction requirement.
Because IrfanView is a widely deployed image and document viewer, attackers can deliver weaponized .dxf files through phishing attachments, drive-by download chains, or file shares. Once the user opens the file, the plugin processes the malformed structure and the corruption primitive is converted into arbitrary code execution.
Root Cause
The root cause is insufficient bounds checking on attacker-controlled fields within DXF group codes. The parser trusts size, count, or offset values supplied in the file and operates on memory buffers without enforcing the buffer's actual capacity. This pattern aligns with [CWE-119] and produces an exploitable write or read primitive depending on the affected code path.
Attack Vector
The attack vector is local file processing with required user interaction. The attacker sends or hosts a malicious DXF file. The victim opens the file with IrfanView, or the file is opened automatically by an associated handler. The CADImage plugin parses the file, the memory corruption is triggered, and the attacker gains code execution in the IrfanView process context. No elevated privileges are required to launch the attack, and confidentiality, integrity, and availability are all impacted.
The vulnerability mechanism is described in the Zero Day Initiative Advisory ZDI-25-526. No public proof-of-concept exploit is currently available.
Detection Methods for CVE-2025-7278
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe following the open of a .dxf file
- Crashes or Windows Error Reporting events referencing the CADImage plugin DLL during DXF processing
- Inbound .dxf attachments from untrusted senders, particularly those bypassing standard CAD workflow channels
- Outbound network connections initiated by the IrfanView process shortly after file open
Detection Strategies
- Monitor process-creation telemetry for IrfanView spawning interpreters, scripting hosts, or LOLBins
- Inspect file-open events for .dxf extensions handled by IrfanView on endpoints that do not perform CAD work
- Alert on unsigned or anomalous module loads inside the IrfanView process address space
- Hunt for IrfanView crashes correlated with newly delivered DXF files in mail or download directories
Monitoring Recommendations
- Forward endpoint process, module-load, and file-write telemetry to a centralized data lake for correlation across users
- Track plugin DLL versions on endpoints to identify hosts still running vulnerable CADImage builds
- Apply behavioral analytics to flag IrfanView performing network egress or persistence actions, which are not part of its normal behavior
How to Mitigate CVE-2025-7278
Immediate Actions Required
- Inventory all endpoints with IrfanView installed and identify which have the CADImage plugin loaded
- Restrict or remove the CADImage plugin on systems that do not require DXF or CAD file viewing
- Block inbound .dxf attachments at the email gateway for users outside engineering or design teams
- Train users to avoid opening unsolicited CAD files and to validate sources before opening DXF content
Patch Information
No vendor patch is referenced in the NVD entry or the ZDI advisory at the time of publication. Administrators should monitor the Zero Day Initiative Advisory ZDI-25-526 and the CADSoftTools and IrfanView vendor pages for an updated CADImage plugin release. Once a fixed build is available, deploy it across all affected x86 and x64 installations.
Workarounds
- Uninstall the CADImage plugin until a patched version is released
- Remove file association for .dxf from IrfanView and route CAD files to a dedicated, sandboxed viewer
- Run IrfanView under a low-privilege account and apply application allowlisting to limit post-exploitation impact
- Use attachment sandboxing or detonation for inbound DXF files in business email flows
# Remove the DXF file association for IrfanView on Windows
reg delete "HKCU\Software\Classes\.dxf" /f
reg delete "HKCU\Software\Classes\IrfanView.DXF" /f
# List installed IrfanView plugins to confirm CADImage removal
dir "C:\Program Files\IrfanView\Plugins\CADImage*"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

