Skip to main content
CVE Vulnerability Database

CVE-2025-7285: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7285 is a remote code execution flaw in Cadsofttools Cadimage that allows attackers to execute arbitrary code through malicious DXF files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7285 Overview

CVE-2025-7285 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists in the parser that handles Drawing Exchange Format (DXF) files. Improper validation of user-supplied data allows attackers to corrupt memory and execute arbitrary code in the context of the current process. Exploitation requires user interaction, such as opening a crafted DXF file or visiting a malicious page that delivers one. The Zero Day Initiative tracks this issue as ZDI-CAN-26221 and published advisory ZDI-25-537. The vulnerability maps to [CWE-119], improper restriction of operations within the bounds of a memory buffer.

Critical Impact

A single malicious DXF file can deliver arbitrary code execution under the privileges of the IrfanView user, enabling initial access, persistence, and lateral movement on Windows endpoints.

Affected Products

  • IrfanView (x86 and x64 builds)
  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • Workstations rendering or thumbnailing untrusted DXF files

Discovery Timeline

  • 2025-07-21 - CVE-2025-7285 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7285

Vulnerability Analysis

The CADImage Plugin extends IrfanView with support for computer-aided design formats including DXF. When the plugin parses a DXF file, it processes structured ASCII or binary records describing geometric entities, layers, and headers. The parser fails to fully validate length and type fields supplied by the file before using them in memory operations. An attacker who controls those fields can drive the parser into an out-of-bounds write or comparable memory corruption state. The corrupted memory can then be leveraged to redirect execution flow. Successful exploitation runs attacker-controlled code in the security context of the user that opened the file. The Zero Day Initiative advisory ZDI-25-537 documents the technical findings.

Root Cause

The root cause is missing bounds validation on user-supplied values inside DXF group codes consumed by the CADImage parser. The parser trusts attacker-controlled size or index data, producing a memory corruption primitive consistent with [CWE-119].

Attack Vector

The attack vector is local but user-driven. A victim must open a malicious DXF file in IrfanView or trigger automatic parsing through a download, archive extraction, or shell preview action. Delivery commonly occurs through phishing email attachments, drive-by downloads, or shared file repositories.

No verified proof-of-concept code is currently public. See ZDI-25-537 for the vendor-coordinated technical summary.

Detection Methods for CVE-2025-7285

Indicators of Compromise

  • DXF files arriving from untrusted sources, especially via email attachments or web downloads, that trigger i_view32.exe or i_view64.exe to spawn shells, scripting hosts, or rundll32.exe.
  • Crash artifacts referencing the CADImage plugin DLL inside Plugins\CADIMAGE.DLL or related modules under the IrfanView installation directory.
  • Unexpected child processes such as cmd.exe, powershell.exe, or wscript.exe parented to IrfanView.

Detection Strategies

  • Hunt for IrfanView processes loading the CADImage plugin and subsequently making outbound network connections or writing executables to disk.
  • Alert on Windows Error Reporting events (Event ID 1000, 1001) where the faulting module is the CADImage plugin.
  • Correlate file-open telemetry for .dxf extensions with process injection or anomalous memory allocations within IrfanView.

Monitoring Recommendations

  • Behavioral AI-based endpoint protection such as SentinelOne Singularity Endpoint can identify post-exploitation activity, including suspicious child process creation and in-memory code execution originating from IrfanView.
  • Forward endpoint and process telemetry into Singularity Data Lake to retain DXF-related parser crashes and child-process chains for hunting and incident response.
  • Track new DXF file downloads through web proxy and email gateway logs to enable retroactive scoping if exploitation is confirmed.

How to Mitigate CVE-2025-7285

Immediate Actions Required

  • Update IrfanView and the CADImage Plugin to the latest versions released by IrfanView and CADSoftTools that address ZDI-CAN-26221.
  • Block inbound DXF attachments at email gateways until patching is verified across the estate.
  • Restrict execution of IrfanView on systems that do not have a documented business need to render CAD files.

Patch Information

Refer to the Zero Day Initiative Advisory ZDI-25-537 for vendor coordination details. Apply the latest CADImage Plugin build from CADSoftTools and the current IrfanView release. No vendor advisory URL is published in the NVD record beyond the ZDI reference, so verify versions directly with the vendors before deployment.

Workarounds

  • Remove or rename the CADImage plugin DLL from the IrfanView Plugins directory on hosts that do not require DXF support.
  • Disassociate the .dxf file extension from IrfanView and route opens through a sandboxed or read-only CAD viewer.
  • Enforce application allowlisting to prevent IrfanView from spawning interpreters such as cmd.exe, powershell.exe, or wscript.exe.
bash
# Example: remove the CADImage plugin on a Windows endpoint via PowerShell
Remove-Item "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL" -Force
# Remove the .dxf file association for the current user
reg delete "HKCU\Software\Classes\.dxf" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.