Skip to main content
CVE Vulnerability Database

CVE-2025-7286: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7286 is a remote code execution vulnerability in Cadsofttools Cadimage affecting DXF file parsing. Attackers can exploit memory corruption to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7286 Overview

CVE-2025-7286 is a memory corruption vulnerability in the IrfanView CADImage Plugin developed by CADSoftTools. The flaw exists within the parser that handles Drawing Exchange Format (DXF) files. Attackers can exploit the issue by tricking a user into opening a malicious DXF file or visiting a crafted page that triggers the plugin. Successful exploitation allows arbitrary code execution in the context of the current process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26222 and tracked publicly as ZDI-25-532. It is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer.

Critical Impact

Opening a malicious DXF file in IrfanView with the CADImage Plugin installed can lead to arbitrary code execution under the user's privileges.

Affected Products

  • IrfanView (x86 and x64 builds with the CADImage Plugin installed)
  • CADSoftTools CADImage Plugin for IrfanView (x86)
  • CADSoftTools CADImage Plugin for IrfanView (x64)

Discovery Timeline

  • 2025-07-21 - CVE-2025-7286 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-7286

Vulnerability Analysis

The vulnerability resides in the DXF file parser of the CADImage Plugin used by IrfanView. DXF is an ASCII or binary CAD data exchange format containing structured sections, groups, and entity records. The parser fails to validate fields supplied within a DXF document before using them in memory operations. A crafted entity or header record causes the parser to read or write outside the bounds of an allocated buffer. This memory corruption condition is reachable from any DXF file opened by the user, including those loaded indirectly through a web page or file association.

Root Cause

The root cause is the lack of proper validation of user-supplied data during DXF parsing, mapped to [CWE-119]. Length, offset, or count fields embedded in the file are trusted without bounds checks. The parser uses these untrusted values to index into or copy data across heap or stack buffers, producing an out-of-bounds memory access. An attacker who controls those fields can shape the corruption to overwrite adjacent objects, function pointers, or return addresses.

Attack Vector

Exploitation requires user interaction. The target must open a malicious DXF file in IrfanView, or visit a web page that delivers and renders such a file through the vulnerable plugin. The attack does not require authentication and runs in the security context of the user executing IrfanView. Because IrfanView is commonly used on desktop systems with full user privileges, successful exploitation can lead to credential theft, lateral movement, or installation of additional payloads.

No public proof-of-concept code or in-the-wild exploitation has been reported. Technical specifics are documented in the Zero Day Initiative Advisory ZDI-25-532.

Detection Methods for CVE-2025-7286

Indicators of Compromise

  • DXF files received from untrusted sources, especially via email attachments, chat links, or drive-by download pages targeting IrfanView users.
  • IrfanView (i_view32.exe or i_view64.exe) spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe.
  • Crash or Windows Error Reporting events involving the CADImage plugin DLL during DXF file open operations.
  • Network connections originating from the IrfanView process to external hosts shortly after a DXF file is opened.

Detection Strategies

  • Hunt for process creation events where i_view32.exe or i_view64.exe is the parent of a script interpreter or shell binary.
  • Inspect file open telemetry for .dxf extensions handled by IrfanView and correlate with subsequent suspicious behavior.
  • Monitor Application Error and Windows Error Reporting logs (Event IDs 1000, 1001) referencing the CADImage plugin module.
  • Apply YARA rules over inbound files for malformed DXF headers and abnormally large group code or section length values.

Monitoring Recommendations

  • Forward endpoint process, file, and crash telemetry to a centralized analytics platform for behavioral correlation.
  • Alert on first-seen execution of IrfanView on hosts where the application is not part of the standard image.
  • Track installation and version state of the CADImage Plugin across the fleet to identify unpatched endpoints.

How to Mitigate CVE-2025-7286

Immediate Actions Required

  • Inventory all endpoints running IrfanView and identify those with the CADImage Plugin installed.
  • Remove or disable the CADImage Plugin on systems that do not require DXF or CAD file viewing.
  • Block delivery of .dxf attachments at the email gateway and restrict downloads of CAD files from untrusted web sources.
  • Instruct users to avoid opening DXF files from unknown senders until a vendor patch is applied.

Patch Information

No vendor advisory URL is listed in the NVD entry at the time of publication. Administrators should monitor the IrfanView plugin distribution page and the CADSoftTools website for an updated CADImage Plugin release that addresses the DXF parser flaw, and reference ZDI-25-532 for coordinated disclosure status.

Workarounds

  • Uninstall the CADImage Plugin until a fixed version is released, eliminating the vulnerable DXF parsing code path.
  • Remove the file association between .dxf files and IrfanView to prevent accidental double-click execution.
  • Run IrfanView under a low-privilege user account and enforce application allow-listing to constrain post-exploitation actions.
  • Enable exploit mitigations such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) for the IrfanView process via Windows Defender Exploit Guard.
bash
# Windows: remove the .dxf association from IrfanView (run as administrator)
reg delete "HKLM\SOFTWARE\Classes\.dxf" /f
reg delete "HKCU\SOFTWARE\Classes\.dxf" /f

# Apply Exploit Guard mitigations to the IrfanView binaries
Set-ProcessMitigation -Name i_view64.exe -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy
Set-ProcessMitigation -Name i_view32.exe -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.