Skip to main content
CVE Vulnerability Database

CVE-2025-7291: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7291 is a remote code execution flaw in Cadsofttools Cadimage DXF file parser that allows attackers to execute arbitrary code through malicious files. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7291 Overview

CVE-2025-7291 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage Plugin. The flaw exists within the parsing of DXF (Drawing Exchange Format) files and stems from insufficient validation of user-supplied data. Attackers who can convince a user to open a crafted DXF file can read past the end of an allocated buffer and execute arbitrary code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26227 and tracked publicly as ZDI-25-539.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the IrfanView user, enabling full compromise of confidentiality, integrity, and availability on the host.

Affected Products

  • CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) installations using the CADImage Plugin
  • Windows hosts processing DXF files through the affected plugin

Discovery Timeline

  • 2025-07-21 - CVE-2025-7291 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7291

Vulnerability Analysis

The vulnerability resides in the DXF file parser shipped with the IrfanView CADImage Plugin. DXF is an AutoCAD interchange format containing structured groups of records that describe geometry, layers, and metadata. The parser reads attacker-controlled length and offset values from the DXF stream without verifying that subsequent reads remain inside the allocated buffer.

When the plugin processes a malformed DXF file, it dereferences memory beyond the buffer boundary. The out-of-bounds read can return adjacent heap data, including pointers and object metadata, which an attacker can chain with additional control-flow primitives to achieve code execution in the IrfanView process.

Exploitation requires user interaction. The target must open a malicious DXF file or visit a page that delivers one. Because IrfanView runs in the user's session, code executes with the user's privileges and can be combined with local privilege escalation flaws to deepen impact.

Root Cause

The root cause is missing bounds validation on attacker-controlled fields within the DXF parser. The plugin trusts size or index values embedded in the file and uses them directly during buffer indexing, violating safe parsing assumptions for untrusted input. This pattern is consistent with [CWE-125] Out-of-Bounds Read.

Attack Vector

The attack vector is local in CVSS terms but practically reachable through phishing, drive-by downloads, or shared file repositories. A crafted DXF file delivered via email attachment, web download, or removable media triggers the flaw the moment the user opens the file in IrfanView with the CADImage Plugin loaded.

No authentication is required, and the attack does not need network access to the target once the malicious file is delivered. See the Zero Day Initiative Advisory ZDI-25-539 for additional technical context.

Detection Methods for CVE-2025-7291

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe child processes spawning command interpreters such as cmd.exe, powershell.exe, or rundll32.exe
  • DXF files arriving via email, chat, or download from untrusted sources, especially with abnormal file sizes or malformed headers
  • IrfanView process crashes referencing the CADImage Plugin module in Windows Error Reporting logs
  • Outbound network connections originating from the IrfanView process to unfamiliar hosts shortly after a DXF file is opened

Detection Strategies

  • Monitor process lineage where IrfanView is the parent of scripting or living-off-the-land binaries
  • Alert on file writes by the IrfanView process to autorun locations, Startup folders, or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Inspect DXF files at the email and web gateways for malformed group codes or oversized length fields
  • Use behavioral identification of heap corruption and exploit-style memory access patterns within image and CAD viewer processes

Monitoring Recommendations

  • Forward endpoint process, file, and network telemetry to a centralized data lake to enable retrospective hunts once new indicators emerge
  • Track installations of the CADImage Plugin across the fleet and flag versions matching the vulnerable CPEs
  • Review Windows Event Logs for repeated IrfanView crashes that may indicate exploitation attempts or unstable malicious payloads

How to Mitigate CVE-2025-7291

Immediate Actions Required

  • Identify endpoints running IrfanView with the CADImage Plugin and prioritize them for patching
  • Block inbound DXF attachments at the email gateway until affected hosts are remediated
  • Instruct users to avoid opening DXF files from untrusted sources and report suspicious files to the security team
  • Restrict the file association for .dxf to a sandboxed viewer where feasible

Patch Information

No fixed version is referenced in the NVD entry at the time of publication. Administrators should consult the Zero Day Initiative Advisory ZDI-25-539 and the CADSoftTools and IrfanView vendor sites for an updated CADImage Plugin release that addresses the DXF parsing flaw. Apply the patched plugin to every affected host once available.

Workarounds

  • Uninstall or disable the CADImage Plugin from IrfanView until a fixed version is deployed
  • Remove the .dxf file association from IrfanView to prevent automatic invocation of the vulnerable parser
  • Run IrfanView under a low-privilege user account and enforce application allowlisting to constrain post-exploitation activity
  • Enable Windows exploit protection features such as DEP, ASLR, and CFG for the IrfanView executables
bash
# Remove .dxf association from IrfanView on Windows (run as administrator)
assoc .dxf=
ftype IrfanView.DXF=

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.