CVE-2025-7290 Overview
CVE-2025-7290 is a memory corruption vulnerability in the IrfanView CADImage Plugin that enables arbitrary code execution when a user opens a crafted Drawing Exchange Format (DXF) file. The flaw exists in the plugin's DXF file parsing logic, which fails to properly validate user-supplied data before processing. Attackers exploit this issue by delivering a malicious DXF file through email, web download, or other social engineering vectors. Successful exploitation executes code in the context of the current process, giving attackers the same privileges as the user running IrfanView. The vulnerability was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26226.
Critical Impact
Opening a malicious DXF file in IrfanView with the CADImage Plugin installed results in arbitrary code execution under the current user's context.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) when the CADImage Plugin is installed
- Windows installations using vulnerable plugin versions prior to the vendor fix
Discovery Timeline
- 2025-07-21 - CVE-2025-7290 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7290
Vulnerability Analysis
The vulnerability resides in the CADImage Plugin's routine that parses DXF files, a CAD interchange format used to share 2D and 3D drawing data. The parser does not adequately validate length, offset, or structural fields contained in the DXF input. When the plugin processes attacker-controlled values, it corrupts adjacent memory structures within the IrfanView process. The condition is classified as a memory buffer error [CWE-119].
The Common Weakness Enumeration entry covers improper restriction of operations within the bounds of a memory buffer. Attackers controlling the malformed fields can influence heap or stack memory in a deterministic manner. This level of control is typically sufficient to redirect execution to attacker-supplied shellcode or return-oriented programming gadgets.
Root Cause
The parser trusts size and index values embedded in the DXF file without verifying them against allocated buffer boundaries. Improper validation allows out-of-bounds writes or reads during structure population. The result is a corruptible memory state that an attacker can shape into code execution primitives.
Attack Vector
Exploitation requires user interaction. The target must open a malicious DXF file in IrfanView with the CADImage Plugin enabled, or visit a page that triggers the file handler. The attack runs locally but the malicious file can be delivered remotely through phishing, drive-by download, or shared document workflows. Code executes with the privileges of the IrfanView user, enabling persistence, credential theft, or lateral movement.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-7290
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command shells, scripting hosts, or rundll32.exe
- DXF files arriving through email, instant messaging, or external file shares from untrusted senders
- Crashes or unexpected termination of IrfanView coinciding with DXF file open events in the Windows Application event log
- Outbound network connections originating from the IrfanView process to unfamiliar hosts
Detection Strategies
- Monitor process creation events where the parent image is IrfanView and the child image is a Living-off-the-Land binary such as powershell.exe, cmd.exe, or wscript.exe
- Inspect file-open telemetry for DXF extensions handled by the CADImage Plugin DLLs and correlate with subsequent suspicious process activity
- Apply YARA or content rules to scan DXF attachments at the email gateway for malformed section headers and oversized length fields
- Use endpoint behavioral analytics to flag memory protection violations or exception events within the IrfanView process
Monitoring Recommendations
- Enable Windows Defender Exploit Guard or equivalent exploit mitigation logging for the IrfanView process
- Forward Sysmon Event ID 1, 7, and 11 records to a centralized log platform for retrospective hunting on CADImage Plugin DLL loads
- Alert on any DXF file write followed by an IrfanView process crash within a short time window
How to Mitigate CVE-2025-7290
Immediate Actions Required
- Update the CADImage Plugin to the latest version published by CADSoftTools as soon as a fixed release is available
- Restrict DXF file handling to trusted sources and block DXF attachments at email and web gateways where the format is not required
- Remove the CADImage Plugin from IrfanView installations on endpoints that do not require CAD file viewing
- Run IrfanView under a standard user account rather than an administrative account to limit the blast radius of successful exploitation
Patch Information
Review the Zero Day Initiative Advisory ZDI-25-538 for the authoritative disclosure record and any updated vendor remediation status. Apply the CADSoftTools CADImage Plugin update for IrfanView once the vendor publishes a fixed build covering both x86 and x64 distributions. Verify the plugin version after patching by inspecting the file properties of the CADImage DLL in the IrfanView Plugins directory.
Workarounds
- Uninstall or disable the CADImage Plugin until a vendor-supplied fix is deployed
- Deassociate the .dxf file extension from IrfanView so that double-clicking a DXF file does not invoke the vulnerable parser
- Open untrusted DXF files only within an isolated virtual machine or sandbox with no network access and no sensitive data
- Enforce application allowlisting to prevent IrfanView from launching unexpected child processes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

