Skip to main content
CVE Vulnerability Database

CVE-2025-7293: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7293 is a remote code execution flaw in Cadsofttools Cadimage DXF file parsing that allows attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-7293 Overview

CVE-2025-7293 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code through crafted Drawing Exchange Format (DXF) files. The flaw resides in the DXF file parsing logic, where insufficient validation of user-supplied data leads to memory corruption [CWE-119]. Exploitation requires user interaction: a victim must open a malicious DXF file or visit a page that delivers one. Successful exploitation grants code execution in the context of the current IrfanView process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26229 and is tracked in advisory ZDI-25-541.

Critical Impact

Attackers can achieve arbitrary code execution on Windows systems running vulnerable versions of IrfanView with the CADImage plugin installed when a user opens a malicious DXF file.

Affected Products

  • CadSoftTools CADImage plugin for IrfanView (x86 and x64)
  • IrfanView image viewer (x86 and x64)
  • Windows systems with the CADImage plugin loaded

Discovery Timeline

  • 2025-07-21 - CVE-2025-7293 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-7293

Vulnerability Analysis

The CADImage plugin extends IrfanView with support for computer-aided design file formats, including AutoCAD DXF. DXF is a structured ASCII or binary format containing geometric, layer, and block definitions that the plugin must parse to render the drawing. CVE-2025-7293 stems from improper bounds checking during this parsing routine.

When the plugin processes attacker-controlled fields inside a DXF file, it fails to validate length or structural constraints before copying data into fixed-size memory regions. The resulting memory corruption [CWE-119] enables an attacker to overwrite adjacent memory structures, including control data such as function pointers or return addresses. With careful crafting, this corruption leads to arbitrary code execution within the IrfanView process.

The attack vector is local in CVSS terms because the malicious file must reach the target, but the file can be delivered through email, web download, or shared storage. Privileges acquired match those of the user running IrfanView, which on typical workstations means full user-level access to documents and credentials.

Root Cause

The root cause is the absence of proper validation of user-supplied data during DXF parsing. The plugin trusts length and offset values embedded in the file without verifying that subsequent read or write operations stay within allocated buffers.

Attack Vector

An attacker crafts a malicious .dxf file with manipulated structural fields and delivers it via phishing email, drive-by download, or a compromised file share. When the user opens the file in IrfanView, the CADImage plugin processes the malformed data, triggering memory corruption and executing the attacker's payload in the user's session.

No verified public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-541 for additional technical details.

Detection Methods for CVE-2025-7293

Indicators of Compromise

  • Unexpected i_view32.exe or i_view64.exe child processes spawning command shells, powershell.exe, or rundll32.exe
  • DXF files originating from email attachments, browser downloads, or removable media followed by IrfanView process anomalies
  • Crash dumps or Windows Error Reporting entries referencing the CADImage plugin DLL
  • Outbound network connections initiated by the IrfanView process to untrusted hosts

Detection Strategies

  • Monitor IrfanView process behavior for memory access violations, exception handler abuse, and unexpected module loads
  • Inspect DXF files at email and web proxies for malformed headers or oversized entity sections inconsistent with the format specification
  • Hunt for process lineage where IrfanView spawns interpreters, scripting hosts, or LOLBins

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard and Attack Surface Reduction rules that block Office and viewer applications from creating child processes
  • Collect endpoint telemetry covering process creation, image loads, and file open events for image viewers
  • Alert on creation or modification of DXF files in user download directories followed by rapid execution

How to Mitigate CVE-2025-7293

Immediate Actions Required

  • Inventory endpoints with IrfanView and the CADImage plugin installed and prioritize them for remediation
  • Restrict opening of DXF files from untrusted sources until a fixed plugin version is deployed
  • Apply the latest CADImage plugin update from CadSoftTools once published and verify the version after deployment

Patch Information

Consult CadSoftTools and the IrfanView plugin distribution site for the patched CADImage release that addresses CVE-2025-7293. The Zero Day Initiative Advisory ZDI-25-541 tracks vendor coordination status for this issue.

Workarounds

  • Uninstall or disable the CADImage plugin if DXF and CAD format support is not required
  • Remove file associations for .dxf files from IrfanView and route them to a sandboxed viewer
  • Enforce application allowlisting and Mark-of-the-Web policies so DXF files from the internet cannot be opened without explicit user consent
  • Run IrfanView under a standard user account with no administrative privileges to limit post-exploitation impact
bash
# Remove the .dxf file association from IrfanView on Windows (run elevated)
reg delete "HKCR\.dxf" /f
reg delete "HKCU\Software\Classes\.dxf" /f

# Verify CADImage plugin DLL version after patching
powershell -Command "(Get-Item 'C:\Program Files\IrfanView\Plugins\CADImage.dll').VersionInfo"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.