CVE-2025-7289 Overview
CVE-2025-7289 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code in the context of the current process. The flaw exists in the parsing logic for Drawing Exchange Format (DXF) files and stems from insufficient validation of user-supplied data [CWE-119]. Exploitation requires user interaction, meaning a target must open a malicious DXF file or visit a page that delivers one. The Zero Day Initiative tracked this issue as ZDI-CAN-26225 before assignment of CVE-2025-7289.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling local compromise of the host.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64)
- Windows systems with the CADImage plugin installed for DXF rendering
Discovery Timeline
- 2025-07-21 - CVE-2025-7289 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7289
Vulnerability Analysis
The vulnerability resides in the CADImage plugin's DXF file parser. DXF is an ASCII or binary CAD interchange format that uses paired group codes and values to describe drawing entities. The parser processes attacker-controlled fields from the DXF file without enforcing proper bounds on the supplied data. When the parser reads malformed structures, it writes or reads outside the bounds of an allocated buffer, corrupting adjacent memory.
An attacker who controls the layout of the corrupted region can hijack execution flow and run arbitrary code in the IrfanView process. Because IrfanView is commonly executed in interactive user sessions, the executed code inherits the user's privileges, including access to documents, credentials, and network resources reachable from that account.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] during DXF parsing. Length fields and counts taken from the file are trusted without validation against the size of the destination buffer.
Attack Vector
Exploitation requires the victim to open a malicious DXF file with IrfanView while the CADImage plugin is installed, or to visit a webpage that delivers such a file through a handler association. The attack vector is local and requires user interaction, but no privileges are needed by the attacker prior to file delivery.
No verified proof-of-concept code is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-535 for additional technical context.
Detection Methods for CVE-2025-7289
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, such as command shells, script interpreters, or rundll32.exe
- DXF files arriving via email, chat, or web download from untrusted senders, especially in archives or with unusual file sizes
- Crash dumps or Windows Error Reporting events referencing the CADImage plugin DLL during DXF processing
Detection Strategies
- Hunt for process lineage where IrfanView is the parent of cmd.exe, powershell.exe, wscript.exe, or mshta.exe
- Alert on IrfanView making outbound network connections shortly after opening a file with a .dxf extension
- Inspect file write activity by the IrfanView process to autorun locations such as the Startup folder or Run registry keys
Monitoring Recommendations
- Enable command-line and module-load auditing on workstations that have IrfanView installed
- Forward Sysmon process creation, image load, and file create events to a central analytics platform for correlation
- Track installation inventory for the CADImage plugin to identify exposed hosts pending patching
How to Mitigate CVE-2025-7289
Immediate Actions Required
- Identify all hosts running IrfanView with the CADImage plugin and prioritize them for patching
- Block inbound .dxf attachments at the email gateway until patches are validated and deployed
- Remove file associations that automatically open DXF files in IrfanView for non-CAD users
- Instruct users not to open DXF files from untrusted sources, including web downloads and unsolicited messages
Patch Information
No fixed version is listed in the published advisory at time of writing. Monitor the Zero Day Initiative Advisory ZDI-25-535 and the CADSoftTools vendor site for updated CADImage plugin builds, and update IrfanView and the plugin to the latest available release once published.
Workarounds
- Uninstall the CADImage plugin from IrfanView on systems that do not require DXF rendering
- Restrict execution of IrfanView through application control policies such as Windows Defender Application Control or AppLocker
- Run IrfanView under a low-privilege account and consider executing it inside an isolated container such as Windows Sandbox when DXF inspection is required
# Example AppLocker-style path rule to block IrfanView execution
# pending patch deployment (PowerShell)
New-AppLockerPolicy -RuleType Path -User Everyone `
-Path "%PROGRAMFILES%\IrfanView\i_view64.exe" `
-Action Deny | Set-AppLockerPolicy -Merge
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

