CVE-2025-7320 Overview
CVE-2025-7320 is a memory corruption vulnerability in the IrfanView CADImage Plugin. The flaw exists in the plugin's DXF (Drawing Exchange Format) file parser and stems from insufficient validation of user-supplied data [CWE-119]. Attackers can trigger the condition by convincing a user to open a crafted DXF file or visit a malicious page that delivers one. Successful exploitation results in arbitrary code execution within the context of the IrfanView process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26418 and published as advisory ZDI-25-567.
Critical Impact
Attackers can execute arbitrary code on affected installations of IrfanView with the CADImage Plugin when a user opens a malicious DXF file, compromising confidentiality, integrity, and availability of the host.
Affected Products
- CADSoftTools CADImage Plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) with CADImage Plugin installed
- Systems processing untrusted DXF files through IrfanView
Discovery Timeline
- 2025-07-21 - CVE-2025-7320 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7320
Vulnerability Analysis
The vulnerability resides in the DXF file parsing logic of the CADImage Plugin loaded by IrfanView. DXF is an ASCII or binary CAD interchange format containing structured entity records, group codes, and length-prefixed data sections. The plugin processes these records without sufficiently validating field sizes or offsets against the actual buffer allocations. When the parser encounters attacker-controlled length or index values, it reads or writes beyond the bounds of an allocated memory region.
This memory corruption condition, classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer), can be shaped by an attacker to overwrite adjacent data structures, function pointers, or return addresses. Successful exploitation grants code execution in the user context running IrfanView. No authentication is required, but user interaction is mandatory: the victim must open the malicious file or navigate to a page that triggers the file handler.
Root Cause
The root cause is missing bounds validation in the DXF parser inside the CADImage Plugin. Untrusted length fields, record counts, or offsets from the DXF file are used directly in memory operations without verifying them against allocated buffer sizes. This allows a crafted DXF file to corrupt process memory during parsing.
Attack Vector
Exploitation requires local file processing but can be initiated remotely through social engineering. An attacker hosts or emails a malicious .dxf file and convinces the target to open it in IrfanView. Alternatively, a web page can deliver the file via a browser download or file-association handler. Because IrfanView runs in the current user's context, the attacker inherits that user's privileges on the host.
No public proof-of-concept or in-the-wild exploitation has been reported. See the Zero Day Initiative Advisory ZDI-25-567 for additional technical context.
Detection Methods for CVE-2025-7320
Indicators of Compromise
- Unexpected i_view32.exe or i_view64.exe child processes spawning shells, cmd.exe, powershell.exe, or rundll32.exe.
- Crashes of IrfanView correlated with the opening of .dxf files, particularly access violations logged in Windows Application event logs.
- Inbound .dxf attachments from untrusted senders or downloads from unfamiliar domains preceding IrfanView execution.
- Modification or creation of files in user profile directories immediately after DXF file open events.
Detection Strategies
- Monitor process creation events where IrfanView is the parent and the child process is a scripting engine, shell, or LOLBin.
- Alert on Windows Error Reporting (WER) entries showing crashes in CADImage.dll or related plugin modules.
- Inspect email and web gateway logs for .dxf file transfers to non-engineering users who do not typically handle CAD data.
Monitoring Recommendations
- Enable command-line and module-load auditing on endpoints running IrfanView to capture plugin activity.
- Correlate file-open telemetry for .dxf extensions with subsequent process, network, and file-write behavior.
- Track installed IrfanView and CADImage Plugin versions across the estate to identify unpatched hosts.
How to Mitigate CVE-2025-7320
Immediate Actions Required
- Inventory all endpoints with IrfanView and the CADImage Plugin installed, prioritizing systems that regularly process externally sourced CAD files.
- Restrict opening of .dxf files from untrusted sources and block DXF attachments at email and web gateways where operationally feasible.
- Warn users against opening unsolicited CAD files and reinforce phishing awareness for engineering and design teams.
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-567 and the vendor pages for CADSoftTools CADImage and IrfanView for updated plugin releases. Apply the latest CADImage Plugin build and update IrfanView to the current version once the vendor issues a fix. Verify the patched version through the plugin's About dialog or file properties after deployment.
Workarounds
- Uninstall or disable the CADImage Plugin on systems that do not require DXF viewing until a patched version is installed.
- Remove the .dxf file association from IrfanView so DXF files are not automatically processed by the vulnerable plugin.
- Run IrfanView under a standard user account with application-level sandboxing or AppLocker rules restricting child process creation.
- Apply exploit mitigations such as Windows Defender Exploit Guard, ASLR, and DEP enforcement for i_view32.exe and i_view64.exe.
# Example: Remove IrfanView association for .dxf on Windows (run as admin)
reg delete "HKCR\.dxf" /f
assoc .dxf=
# Example: Block IrfanView from spawning shells via AppLocker/WDAC policy (concept)
# Create a rule denying i_view32.exe and i_view64.exe from launching cmd.exe, powershell.exe, wscript.exe
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

