CVE-2025-7296 Overview
CVE-2025-7296 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code on affected installations. The flaw resides in the plugin's parsing logic for Drawing Exchange Format (DXF) files and stems from insufficient validation of user-supplied data [CWE-119]. Exploitation requires user interaction: a target must open a malicious DXF file or visit a page that delivers one. Successful exploitation grants code execution in the context of the current process running IrfanView. The vulnerability was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-26243 and disclosed as ZDI-25-546.
Critical Impact
Attackers who convince a user to open a crafted DXF file can execute arbitrary code with the privileges of the IrfanView process, leading to full compromise of the user account.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) installations bundling the CADImage Plugin
- Workstations processing untrusted DXF files through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7296 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7296
Vulnerability Analysis
The vulnerability is a memory corruption issue triggered during DXF file parsing inside the CADImage Plugin. DXF is an ASCII or binary CAD interchange format containing structured groups of records that describe drawing entities. The plugin processes these records when IrfanView loads a CAD file for preview or conversion. Because the parser does not adequately validate structural fields supplied by the file, attacker-controlled values reach memory operations that assume well-formed input. The result is an out-of-bounds write or related memory corruption condition that overwrites adjacent program state. Attackers can shape that corruption to redirect execution flow and run arbitrary code inside the IrfanView process. The Zero Day Initiative tracks this issue under advisory ZDI-25-546.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer [CWE-119] during DXF record handling. The plugin trusts size or offset values derived from the input file without enforcing the bounds of the destination buffer. A specially crafted record drives the parser into reading or writing past allocated memory, corrupting heap or stack data that the process later uses for control-flow decisions.
Attack Vector
Exploitation requires local file processing combined with user interaction. An attacker delivers a malicious .dxf file through email, web download, removable media, or a drive-by page that prompts the victim to open it in IrfanView. When the user opens the file, the CADImage Plugin parses it and triggers the memory corruption. Code executes in the context of the current user, so any privileges granted to that account become available to the attacker. No network authentication is required because the attack uses the local file processing path of the application.
No verified public proof-of-concept code is available. See the Zero Day Initiative Advisory ZDI-25-546 for vendor-coordinated technical details.
Detection Methods for CVE-2025-7296
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe
- DXF files delivered from untrusted sources, mail attachments, or temporary browser download folders that are opened by IrfanView
- Crashes or Windows Error Reporting events for IrfanView referencing the CADImage plugin module
- Unsigned or unexpected DLLs loaded into the IrfanView process after a DXF file is opened
Detection Strategies
- Monitor process creation events where IrfanView is the parent and the child is a scripting host, shell, or LOLBin
- Alert on memory protection changes (RWX allocations) within the IrfanView process address space
- Inspect file-open telemetry for DXF extensions originating from network shares, email clients, or browser download directories
Monitoring Recommendations
- Centralize endpoint process and file telemetry in a SIEM and correlate IrfanView activity with subsequent network connections
- Track installations and versions of the CADImage Plugin across the fleet to identify hosts that remain exposed
- Capture and retain crash dumps from IrfanView for forensic review when DXF files are processed
How to Mitigate CVE-2025-7296
Immediate Actions Required
- Inventory endpoints running IrfanView with the CADImage Plugin and prioritize hosts that handle externally sourced CAD files
- Block inbound DXF attachments at the mail gateway and quarantine DXF downloads from untrusted web sources
- Instruct users to avoid opening DXF files from unknown senders until the plugin is updated
- Restrict IrfanView execution to standard user accounts and remove unnecessary local administrator rights
Patch Information
No vendor advisory URL was published in the NVD entry at the time of writing. Users should consult the Zero Day Initiative Advisory ZDI-25-546 and the CADSoftTools and IrfanView download pages for an updated CADImage Plugin build that addresses the DXF parsing flaw. Apply the fixed plugin version on all affected x86 and x64 installations.
Workarounds
- Uninstall or disable the CADImage Plugin in IrfanView until a patched version is available
- Associate .dxf files with a viewer other than IrfanView on systems that must continue to process CAD content
- Open untrusted DXF files only inside a sandboxed virtual machine without network access or sensitive credentials
- Apply Windows Attack Surface Reduction rules that block Office and image viewer applications from creating child processes
# Example: remove the CADImage plugin DLL to neutralize the vulnerable parser
# Adjust the path to match the IrfanView installation directory
ren "C:\Program Files\IrfanView\Plugins\CADImage.dll" CADImage.dll.disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

