Skip to main content
CVE Vulnerability Database

CVE-2025-7288: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7288 is a remote code execution flaw in Cadsofttools Cadimage DXF file parsing that enables attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-7288 Overview

CVE-2025-7288 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code through crafted DXF files. The flaw stems from improper validation of user-supplied data during DXF file parsing [CWE-119]. Exploitation requires user interaction: the target must open a malicious DXF file or visit a page that triggers the plugin. Successful exploitation grants code execution in the context of the current process running IrfanView. The issue was reported through the Zero Day Initiative as ZDI-CAN-26224 and published as advisory ZDI-25-534.

Critical Impact

Attackers can execute arbitrary code on systems where users open malicious DXF files with IrfanView and the CADImage plugin installed, leading to full compromise of the user's process context.

Affected Products

  • IrfanView (x86 and x64 builds)
  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64 builds)
  • Windows systems with the CADImage plugin registered as a DXF handler

Discovery Timeline

  • 2025-07-21 - CVE-2025-7288 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7288

Vulnerability Analysis

The vulnerability resides in the DXF file parser implemented by the CADImage plugin for IrfanView. DXF (Drawing Exchange Format) is a CAD interchange format containing structured records that describe geometry, layers, and metadata. When the plugin parses a malformed DXF record, it fails to validate the size or content of attacker-controlled fields before operating on memory buffers. This results in a memory corruption condition consistent with the classification under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Because IrfanView typically runs at the privileges of the interactive user, code execution inherits that user's rights and tokens, enabling subsequent stages such as credential theft, lateral movement, or persistence.

Root Cause

The root cause is missing bounds checking on user-supplied values extracted from DXF records during parsing. The plugin trusts length, index, or offset fields embedded in the file and uses them to read from or write to memory buffers. An attacker who controls these fields can overflow a buffer, corrupt adjacent heap metadata, or hijack control flow structures used by the parser.

Attack Vector

Exploitation requires a victim to open a malicious DXF file in IrfanView with the CADImage plugin installed. Delivery vectors include email attachments, drive-by downloads, file shares, and archives containing the crafted DXF. The CVSS vector AV:L/AC:L/PR:N/UI:R reflects that local file access and user interaction are required, while impact on confidentiality, integrity, and availability is high.

No public proof-of-concept code is available for CVE-2025-7288. Technical details are limited to the Zero Day Initiative advisory; see the Zero Day Initiative Advisory ZDI-25-534 for vendor-coordinated information.

Detection Methods for CVE-2025-7288

Indicators of Compromise

  • Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as cmd.exe, powershell.exe, or rundll32.exe
  • DXF files arriving from untrusted email senders, web downloads, or removable media immediately before crash or anomalous process activity
  • Windows Error Reporting (WER) crash entries referencing the CADImage plugin DLL during DXF parsing
  • New scheduled tasks, registry Run keys, or persistence artifacts created in the user context shortly after a DXF file is opened

Detection Strategies

  • Hunt for IrfanView processes loading the CADImage plugin DLL followed by network egress or token manipulation calls
  • Build EDR rules that flag image-viewer processes writing executables to %TEMP%, %APPDATA%, or user profile directories
  • Correlate DXF file open events from Office or browser parents with subsequent suspicious process trees
  • Use file content inspection at the email gateway to identify malformed DXF records that fail strict schema validation

Monitoring Recommendations

  • Enable command-line and parent-child process logging via Sysmon Event ID 1 and Windows Security Event ID 4688
  • Monitor module loads (Sysmon Event ID 7) for the CADImage plugin and alert on crashes during DXF processing
  • Track creation of DXF files in user download paths and correlate with subsequent IrfanView execution
  • Forward endpoint telemetry to a centralized analytics tier to support cross-host hunting for the same malicious DXF hash

How to Mitigate CVE-2025-7288

Immediate Actions Required

  • Inventory endpoints running IrfanView with the CADImage plugin and prioritize systems used to triage external files
  • Remove or disable the CADImage plugin on hosts where DXF viewing is not a business requirement
  • Block inbound DXF attachments at the email gateway and quarantine DXF files downloaded from untrusted sources
  • Restrict IrfanView execution on high-value workstations through application control policies until a patched plugin is deployed

Patch Information

At the time of publication, the Zero Day Initiative advisory ZDI-25-534 is the authoritative source for fix status. Administrators should consult Zero Day Initiative Advisory ZDI-25-534 and the CADSoftTools vendor page for the latest CADImage plugin release, then redeploy across all IrfanView installations.

Workarounds

  • Uninstall the CADImage plugin from IrfanView until a patched version is verified in your environment
  • Disassociate the .dxf extension from IrfanView so the vulnerable parser is not invoked by double-click
  • Run IrfanView under a low-privilege account and within an application sandbox when DXF inspection is required
  • Enforce attachment filtering and web download policies that strip or block DXF files from untrusted origins
bash
# Remove .dxf file association for IrfanView on Windows (run elevated)
reg delete "HKCR\.dxf" /f
reg delete "HKCR\IrfanView.DXF" /f

# Block IrfanView from launching child processes via AppLocker / WDAC policy
# Example AppLocker rule: deny i_view64.exe from spawning cmd.exe, powershell.exe, wscript.exe

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.