Skip to main content
CVE Vulnerability Database

CVE-2025-7298: Cadsofttools Cadimage RCE Vulnerability

CVE-2025-7298 is a remote code execution flaw in Cadsofttools Cadimage affecting DXF file parsing that enables attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7298 Overview

CVE-2025-7298 is an out-of-bounds read vulnerability [CWE-125] in the IrfanView CADImage plugin developed by CADSoftTools. The flaw resides in the plugin's DXF file parser, which fails to properly validate user-supplied data before reading from an allocated buffer. Attackers can exploit this issue to execute arbitrary code in the context of the current user process. Exploitation requires user interaction, such as opening a crafted DXF file or visiting a malicious page. The Zero Day Initiative tracked this issue as ZDI-CAN-26246 and published advisory ZDI-25-542.

Critical Impact

Successful exploitation grants attackers arbitrary code execution within the IrfanView process, leading to confidentiality, integrity, and availability compromise on the affected host.

Affected Products

  • CADSoftTools CADImage plugin for IrfanView (x86 and x64)
  • IrfanView (x86 and x64) with the CADImage plugin installed
  • Windows installations using IrfanView for DXF file rendering

Discovery Timeline

  • 2025-07-21 - CVE-2025-7298 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7298

Vulnerability Analysis

The vulnerability exists in the CADImage plugin component that parses Drawing Exchange Format (DXF) files. DXF is an ASCII or binary representation of AutoCAD drawings, and the parser processes structured entity records and group codes. The plugin fails to verify that field-derived offsets and lengths remain within the bounds of allocated heap buffers. When a crafted DXF supplies oversized or malformed size fields, the parser reads memory past the end of the buffer.

This out-of-bounds read can leak adjacent heap data and, in combination with controlled allocation layout, can be chained to redirect execution flow. The Zero Day Initiative advisory confirms the issue can be leveraged to execute code in the context of the current process. Because IrfanView typically runs with the privileges of the interactive user, code execution inherits those rights.

Root Cause

The root cause is missing input validation on size and offset fields parsed from DXF records. The plugin trusts attacker-controllable values when computing read positions, allowing the read pointer to advance beyond the allocated buffer boundary. This pattern maps directly to [CWE-125] Out-of-Bounds Read.

Attack Vector

The attack requires user interaction. A target user must open a malicious DXF file or visit a web page that triggers IrfanView to process such a file. Common delivery paths include phishing emails with attached DXF files, drive-by downloads, and shared file repositories. No authentication or special privileges are required by the attacker.

No public proof-of-concept exploit is currently available. See the Zero Day Initiative Advisory ZDI-25-542 for additional technical context.

Detection Methods for CVE-2025-7298

Indicators of Compromise

  • DXF files received from untrusted sources, especially via email attachments or web downloads, opened by i_view32.exe or i_view64.exe
  • Unexpected child processes spawned by IrfanView, such as cmd.exe, powershell.exe, or scripting hosts
  • Crash dumps referencing the CADImage plugin module during DXF parsing
  • Outbound network connections initiated by the IrfanView process shortly after file open

Detection Strategies

  • Monitor process creation events where IrfanView is the parent of interpreters, shells, or LOLBins
  • Inspect file write activity by IrfanView to directories such as %TEMP%, %APPDATA%, and Startup folders
  • Apply YARA or content rules against DXF files with malformed group codes or oversized length fields
  • Correlate email gateway and proxy logs with endpoint file-open telemetry for DXF artifacts

Monitoring Recommendations

  • Enable command-line and module-load logging on hosts running IrfanView with the CADImage plugin
  • Forward endpoint telemetry to a central SIEM and alert on anomalous behavior from image viewer processes
  • Track DXF file ingress through mail and web channels and flag files from external senders

How to Mitigate CVE-2025-7298

Immediate Actions Required

  • Inventory all systems running IrfanView with the CADImage plugin installed
  • Restrict opening DXF files originating from external or untrusted sources
  • Remove or disable the CADImage plugin on systems that do not require DXF support
  • Communicate phishing awareness guidance focused on CAD and drawing file attachments

Patch Information

As of the last NVD update, no vendor patch URL is listed in the public advisory data. Administrators should consult the Zero Day Initiative Advisory ZDI-25-542 and the CADSoftTools and IrfanView vendor sites for the latest plugin updates. Apply any released CADImage plugin update immediately and verify the installed version after deployment.

Workarounds

  • Uninstall the CADImage plugin from IrfanView installations that do not need DXF rendering
  • Block .dxf file attachments at the email gateway or quarantine them for inspection
  • Apply application control policies that prevent IrfanView from spawning interpreters and shells
  • Run IrfanView under a low-privilege standard user account and enforce Windows exploit protection settings
bash
# Example: block DXF attachments at the gateway and restrict plugin directory access
# Windows ACL example to deny execution of the CADImage plugin DLL
icacls "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL" /deny Everyone:(RX)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.