CVE-2025-7287 Overview
CVE-2025-7287 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists in the parsing logic for Drawing Exchange Format (DXF) files. Improper validation of user-supplied data leads to memory corruption during file processing. An attacker who convinces a user to open a crafted DXF file or visit a malicious page can execute arbitrary code in the context of the current process. The Zero Day Initiative tracks this issue as ZDI-CAN-26223. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Successful exploitation allows arbitrary code execution in the context of the user running IrfanView, enabling full compromise of user data and session privileges.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86)
- CADSoftTools CADImage Plugin for IrfanView (x64)
- IrfanView (x86 and x64) installations with the CADImage Plugin enabled
Discovery Timeline
- 2025-07-21 - CVE-2025-7287 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7287
Vulnerability Analysis
The vulnerability resides in the CADImage Plugin component that handles DXF file parsing. DXF is a CAD data interchange format containing structured ASCII or binary entity records. The plugin processes attacker-controlled fields within DXF structures without sufficient bounds or type checking. This produces a memory corruption condition during the parse routine. An attacker who triggers the corrupted state can manipulate process memory and redirect execution flow. The result is arbitrary code execution under the privileges of the IrfanView process.
Root Cause
The root cause is the absence of proper validation of user-supplied data during DXF file parsing, mapped to [CWE-119]. The plugin trusts size or offset values embedded in DXF records and writes or reads memory outside of intended buffer boundaries. This trust boundary violation enables a crafted file to corrupt adjacent memory structures, including control data used by the runtime.
Attack Vector
Exploitation requires user interaction. The victim must open a malicious DXF file in IrfanView or visit a web page that delivers such a file through associated handlers. The attack vector is local because file processing occurs on the victim host, but delivery commonly happens through phishing emails, drive-by downloads, or shared documents. No authentication or elevated privileges are required by the attacker. See the Zero Day Initiative Advisory ZDI-25-533 for the vendor-coordinated technical summary.
No verified public exploit code is available. Technical detail beyond the ZDI advisory has not been published.
Detection Methods for CVE-2025-7287
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe.
- Crashes or anomalous memory access violations originating from the CADIMAGE.DLL plugin module.
- DXF files received from untrusted email, web, or shared storage sources opened by IrfanView immediately preceding suspicious process activity.
Detection Strategies
- Monitor process lineage for IrfanView spawning interpreters, scripting hosts, or LOLBins.
- Alert on module load events where CADIMAGE.DLL is followed by exception events or DEP/ASLR mitigation triggers.
- Inspect file telemetry for DXF files originating outside the organization that are opened on workstations with IrfanView installed.
Monitoring Recommendations
- Enable command-line and process creation auditing on Windows endpoints to capture IrfanView invocation arguments.
- Forward endpoint telemetry to a centralized analytics platform and correlate DXF file opens with subsequent process anomalies.
- Track installed software inventory to identify endpoints with the CADImage Plugin where it is not required for business use.
How to Mitigate CVE-2025-7287
Immediate Actions Required
- Identify all endpoints with IrfanView and the CADImage Plugin installed and prioritize systems handling external CAD content.
- Remove or disable the CADImage Plugin where DXF support is not required.
- Restrict the file association for .dxf so that untrusted files are not opened automatically by IrfanView.
- Train users to validate the origin of CAD files before opening and to report unsolicited DXF attachments.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-533 for vendor coordination status and remediation guidance. Apply the latest available CADImage Plugin and IrfanView updates from the official vendor distribution channels as soon as fixed versions are released.
Workarounds
- Uninstall the CADImage Plugin from IrfanView on systems that do not require DXF processing.
- Block DXF attachments at the email gateway and inspect DXF downloads at the web proxy when no business need exists.
- Run IrfanView under a standard user account with no administrative privileges to constrain the impact of code execution.
- Apply application allowlisting to prevent IrfanView from launching scripting interpreters or other unrelated child processes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

