CVE-2025-7282 Overview
CVE-2025-7282 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists in the parsing logic for Drawing Exchange Format (DXF) files. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction — the target must open a malicious DXF file or visit a page that delivers one. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26216 and tracked under advisory ZDI-25-530. It is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DXF file processed by the IrfanView CADImage Plugin can corrupt memory and allow arbitrary code execution in the user's process context.
Affected Products
- IrfanView (x86 and x64 builds) with the CADImage Plugin installed
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
Discovery Timeline
- 2025-07-21 - CVE-2025-7282 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7282
Vulnerability Analysis
The CADImage Plugin extends IrfanView with support for computer-aided design file formats, including DXF. DXF files contain structured records describing drawing entities, layers, and geometric data. The plugin parses these records to render images inside IrfanView. The vulnerability arises when the plugin processes attacker-controlled fields inside a DXF file without validating their size or structure against the destination buffer. The resulting memory corruption can be steered to overwrite control data and redirect execution into attacker-supplied code. Because IrfanView is commonly used to preview untrusted images and drawings, a single double-click on a malicious .dxf file is sufficient to trigger the flaw.
Root Cause
The defect maps to [CWE-119]. The DXF parser inside the CADImage Plugin trusts length or count values supplied by the file and performs read or write operations beyond the bounds of an allocated buffer. The Zero Day Initiative advisory ZDI-25-530 describes the issue as a lack of proper validation of user-supplied data leading to a memory corruption condition.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious DXF file through email, a download link, a shared drive, or a web page that triggers IrfanView as the registered handler. When the victim opens the file, the CADImage Plugin parses it and the memory corruption is triggered. Code executes with the privileges of the IrfanView process, typically the standard user account, which is sufficient for credential theft, lateral movement preparation, and follow-on payload deployment.
No public proof-of-concept code or exploit module is available in the referenced sources. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-530.
Detection Methods for CVE-2025-7282
Indicators of Compromise
- .dxf files arriving from untrusted email senders, instant messaging, or web downloads and opened with IrfanView
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe
- Crash events or Windows Error Reporting entries referencing the CADImage Plugin module while parsing DXF content
- Outbound network connections initiated by IrfanView shortly after a DXF file is opened
Detection Strategies
- Monitor process-creation telemetry for IrfanView spawning script interpreters, shells, or LOLBins immediately after file open events.
- Alert on IrfanView loading the CADImage Plugin module followed by anomalous memory allocations or thread creation in remote processes.
- Hunt for .dxf file writes to user-writable locations such as %TEMP%, Downloads, and Desktop followed by IrfanView execution.
Monitoring Recommendations
- Forward endpoint process, file, and module-load events to a centralized analytics platform and retain them for retrospective hunts.
- Track installed IrfanView and CADImage Plugin versions across the estate to identify hosts that remain unpatched.
- Correlate email gateway logs of .dxf attachments with endpoint open events to identify targeted delivery.
How to Mitigate CVE-2025-7282
Immediate Actions Required
- Inventory all endpoints running IrfanView and identify those with the CADImage Plugin installed.
- Remove or disable the CADImage Plugin on systems that do not require DXF or CAD file support.
- Instruct users not to open DXF files received from untrusted sources until a fixed plugin version is deployed.
- Block .dxf attachments at the email gateway where the file type is not required for business operations.
Patch Information
No fixed version is referenced in the NVD entry at the time of writing. Monitor the Zero Day Initiative Advisory ZDI-25-530 and the IrfanView and CADSoftTools vendor pages for an updated CADImage Plugin release that addresses the DXF parser. Apply the updated plugin to every endpoint where IrfanView is installed.
Workarounds
- Uninstall the CADImage Plugin until a patched version is available.
- Change the default file association for .dxf so that IrfanView does not open these files automatically.
- Run IrfanView under a standard, non-administrative account to limit the impact of successful exploitation.
- Apply Windows Defender Application Control or AppLocker rules to restrict child processes that IrfanView may launch.
# Remove the .dxf file association for IrfanView on Windows
assoc .dxf=
ftype IrfanView.DXF=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

