CVE-2025-7292 Overview
CVE-2025-7292 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists in the parsing logic for Drawing Exchange Format (DXF) files. Attackers can leverage this vulnerability to execute arbitrary code in the context of the current process. Exploitation requires user interaction, where a victim must open a crafted DXF file or visit a malicious page that delivers one. The vulnerability is tracked by the Zero Day Initiative as ZDI-CAN-26228 and was published as ZDI-25-540. The weakness is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running IrfanView, enabling installation of malware, credential theft, or lateral movement.
Affected Products
- IrfanView (x64 and x86 builds)
- CADSoftTools CADImage Plugin for IrfanView (x64)
- CADSoftTools CADImage Plugin for IrfanView (x86)
Discovery Timeline
- 2025-07-21 - CVE-2025-7292 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7292
Vulnerability Analysis
The vulnerability resides in the DXF file parser implemented by the CADImage plugin loaded by IrfanView. DXF is an ASCII or binary CAD interchange format containing structured records that describe geometric entities, layers, and metadata. The parser processes attacker-controlled fields without enforcing correct length or type constraints. This produces a memory corruption condition during file ingestion. The resulting state allows control over adjacent memory regions used by the plugin process.
Because IrfanView runs as a user-mode desktop application, the corrupted memory can be steered toward attacker-controlled execution paths. The Zero Day Initiative classifies the issue as remote code execution despite requiring local file handling, because malicious DXF content can be delivered through web pages, email attachments, archive bundles, or shared drives.
Root Cause
The root cause is the lack of proper validation of user-supplied data when parsing DXF structures, mapped to [CWE-119]. Field lengths, counts, or offsets read from the file are trusted and used directly in memory operations. When attacker-supplied values exceed the bounds of internal buffers, the parser writes beyond intended memory regions and corrupts adjacent data structures.
Attack Vector
The attack vector is local file processing initiated by the user. An attacker crafts a malicious DXF file and delivers it through phishing, drive-by download, or shared storage. When the victim opens the file in IrfanView with the CADImage plugin installed, the parser triggers the memory corruption and the embedded payload executes with the user's privileges. No authentication is required, and no privileged context is needed on the target system.
No verified public proof-of-concept is available. Technical details are summarized in the Zero Day Initiative advisory ZDI-25-540.
Detection Methods for CVE-2025-7292
Indicators of Compromise
- Unexpected child processes spawned by i_view64.exe or i_view32.exe, particularly command interpreters, scripting hosts, or rundll32.exe.
- DXF files arriving through email, browser downloads, or removable media followed by IrfanView process activity.
- Crashes or unhandled exceptions in IrfanView correlated with DXF file opens, captured in Windows Error Reporting (WerFault.exe).
- Outbound network connections originating from the IrfanView process shortly after a file open event.
Detection Strategies
- Monitor process creation events where the parent image is IrfanView and the child image is an interactive shell, PowerShell, or LOLBin.
- Inspect file write activity in user-writable directories that immediately follows a DXF file open in IrfanView.
- Apply YARA or content-based rules to flag DXF files containing anomalously long ASCII group code values or malformed entity headers.
Monitoring Recommendations
- Forward endpoint process, file, and network telemetry to a centralized analytics platform for correlation across the IrfanView execution chain.
- Enable Windows Defender Exploit Guard or equivalent exploit mitigations and alert on blocked exploitation attempts targeting IrfanView.
- Track installations of the CADImage plugin across the fleet to maintain an accurate exposure inventory.
How to Mitigate CVE-2025-7292
Immediate Actions Required
- Update IrfanView and the CADImage plugin to the latest versions published by IrfanView and CADSoftTools.
- Remove the CADImage plugin from endpoints that do not require DXF or CAD format support.
- Block inbound DXF attachments at the email gateway and inspect web downloads for the .dxf extension and CAD MIME types.
- Restrict default file associations so DXF files do not open automatically in IrfanView from browsers or mail clients.
Patch Information
Vendor patch information is not published in the NVD record at the time of writing. Review the ZDI-25-540 advisory and the IrfanView and CADSoftTools download pages for updated plugin and application builds that address the DXF parsing flaw.
Workarounds
- Uninstall the CADImage plugin until a fixed version is verified in the environment.
- Open untrusted DXF files only inside an isolated virtual machine or sandbox without network access.
- Enforce application allow-listing to prevent unsigned binaries from executing if the IrfanView process is compromised.
# Configuration example: remove CADImage plugin DLLs from IrfanView Plugins directory
set IRFAN_DIR="C:\Program Files\IrfanView\Plugins"
del /F /Q "%IRFAN_DIR%\CADIMAGE.DLL"
del /F /Q "%IRFAN_DIR%\CADImage*.dll"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

