CVE-2025-7294 Overview
CVE-2025-7294 is a memory corruption vulnerability in the IrfanView CADImage plugin developed by CADSoftTools. The flaw exists in the plugin's parsing of Drawing Exchange Format (DXF) files. An attacker can craft a malicious DXF file that triggers memory corruption when opened by a user, leading to arbitrary code execution in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26230 and tracked publicly as ZDI-25-543. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Successful exploitation allows arbitrary code execution under the privileges of the user running IrfanView when a malicious DXF file is opened.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64)
- IrfanView image viewer (x86 and x64) with the CADImage plugin installed
- Any workstation configured to associate DXF files with IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7294 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7294
Vulnerability Analysis
The vulnerability resides within the DXF file parsing logic of the CADImage plugin. DXF is an ASCII or binary CAD interchange format that uses group code and value pairs to describe geometric entities, blocks, and tables. The parser fails to properly validate user-supplied data inside the DXF structure before using it to influence memory operations. Processing a crafted record results in a memory corruption condition that an attacker can shape into a controlled write or out-of-bounds access. Because IrfanView loads CADImage in-process, corruption inside the plugin directly compromises the host application.
Exploitation requires user interaction: the victim must open a malicious DXF file or browse to a page that delivers one to a handler associated with IrfanView. No authentication is required, and the attack runs at the local privilege of the logged-in user. The Common Vulnerability Scoring System (CVSS) v3.0 vector indicates impact to confidentiality, integrity, and availability.
Root Cause
The root cause is missing or insufficient validation of attacker-controlled fields parsed from the DXF file. When the plugin consumes these fields, it performs memory operations whose bounds depend on the untrusted input, producing a buffer boundary violation consistent with [CWE-119].
Attack Vector
An attacker delivers a weaponized .dxf file through email, a download link, a shared drive, or a drive-by page that triggers the file handler. When the user opens the file in IrfanView, the CADImage plugin parses it and the corruption is triggered, allowing code execution. See the Zero Day Initiative advisory ZDI-25-543 for further technical context. No public proof-of-concept code is currently available for CVE-2025-7294.
Detection Methods for CVE-2025-7294
Indicators of Compromise
- Unexpected .dxf files arriving via email attachments, removable media, or temporary browser download paths followed by IrfanView execution.
- IrfanView (i_view32.exe or i_view64.exe) spawning child processes such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes or Windows Error Reporting events referencing modules belonging to the CADImage plugin.
- Outbound network connections originating from the IrfanView process shortly after a DXF file is opened.
Detection Strategies
- Build endpoint detection rules that alert when IrfanView creates or injects into a child process, since image viewers should not spawn shells or scripting hosts.
- Inspect file telemetry for DXF files with anomalous size, malformed headers, or entropy inconsistent with legitimate CAD data.
- Hunt for IrfanView loading the CADImage plugin DLL on hosts where CAD workflows are not expected.
Monitoring Recommendations
- Forward Sysmon process creation, image load, and file create events from workstations running IrfanView to a central analytics platform.
- Track Windows Error Reporting and application crash events naming IrfanView or CADImage modules.
- Correlate web proxy and mail gateway logs for inbound .dxf attachments paired with subsequent IrfanView activity on the receiving host.
How to Mitigate CVE-2025-7294
Immediate Actions Required
- Inventory endpoints with IrfanView and identify which installations include the CADImage plugin.
- Remove or disable the CADImage plugin on hosts that do not require DXF support until a fixed build is deployed.
- Block .dxf attachments at the mail gateway and quarantine existing untrusted DXF files pending review.
- Restrict the default file association for .dxf so that opening the file does not automatically invoke IrfanView.
Patch Information
No vendor patch identifier is listed in the NVD entry for CVE-2025-7294 at the time of writing. Administrators should monitor the Zero Day Initiative advisory ZDI-25-543 and the CADSoftTools and IrfanView download pages for updated plugin and application versions, and deploy the corrected CADImage build as soon as it is published.
Workarounds
- Uninstall the CADImage plugin from IrfanView on hosts that do not need CAD file viewing.
- Apply Windows application control (AppLocker or WDAC) policies to prevent IrfanView from launching scripting and shell binaries.
- Open untrusted DXF files only inside a dedicated, isolated virtual machine without network access.
- Train users to treat unsolicited CAD files the same as executable attachments and to validate the sender before opening.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

