CVE-2025-7325 Overview
CVE-2025-7325 is a memory corruption vulnerability in the IrfanView CADImage Plugin that allows attackers to execute arbitrary code on affected installations. The flaw resides in the plugin's parser for Drawing Exchange Format (DXF) files and stems from insufficient validation of user-supplied data. Exploitation requires user interaction: the target must open a malicious DXF file or visit a page delivering one. Successful exploitation grants code execution in the context of the current user process. The issue was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-26434 and disclosed publicly as advisory ZDI-25-572. The vulnerability is tracked under [CWE-119].
Critical Impact
Attackers can execute arbitrary code on Windows systems running vulnerable versions of IrfanView with the CADImage plugin by delivering a crafted DXF file that triggers memory corruption during parsing.
Affected Products
- CADSoftTools CADImage plugin for IrfanView (x86 and x64)
- IrfanView (x86 and x64) installations with the CADImage plugin loaded
- Windows systems using IrfanView to preview or convert DXF CAD files
Discovery Timeline
- 2025-07-21 - CVE-2025-7325 published to the National Vulnerability Database
- 2025-07-21 - Zero Day Initiative publishes advisory ZDI-25-572
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7325
Vulnerability Analysis
The vulnerability resides in the DXF file parsing logic implemented by the CADImage plugin, which extends IrfanView with support for CAD file formats. DXF is an ASCII or binary interchange format used by AutoCAD and related tools to represent 2D and 3D drawing data. When the plugin processes a malformed DXF structure, it fails to validate attacker-controlled fields before using them in memory operations. This produces a memory corruption condition classified as [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). An attacker who controls the corrupted memory region can redirect execution flow and run arbitrary code in the security context of the IrfanView process.
Root Cause
The root cause is missing bounds and type validation on values read from the untrusted DXF input stream. The plugin trusts length or index fields embedded in the file when performing buffer operations, allowing an attacker to write outside the intended buffer or interpret memory as an unintended type. No cryptographic or authentication boundary protects the parser, since users routinely open DXF files from untrusted sources.
Attack Vector
Exploitation requires the victim to open a crafted DXF file with IrfanView or navigate to a web resource that serves such a file to the local application. Because DXF is a file format commonly exchanged in engineering, architecture, and manufacturing workflows, social engineering through email attachments or file-sharing links is a plausible delivery method. The attacker gains code execution with the privileges of the user running IrfanView, enabling follow-on actions such as credential theft, persistence, or lateral movement.
No public proof-of-concept exploit is available at time of writing. Technical detail is limited to the Zero Day Initiative Advisory ZDI-25-572.
Detection Methods for CVE-2025-7325
Indicators of Compromise
- Unexpected child processes spawned by i_view32.exe or i_view64.exe, particularly command interpreters such as cmd.exe, powershell.exe, or rundll32.exe.
- IrfanView process crashes with access violation exceptions when handling .dxf files, visible in the Windows Application event log.
- Inbound .dxf attachments from untrusted senders, or DXF files downloaded from web sources outside normal engineering workflows.
- Outbound network connections from the IrfanView process to previously unseen external hosts shortly after opening a CAD file.
Detection Strategies
- Alert on process lineage where i_view32.exe or i_view64.exe is the parent of a shell, script interpreter, or LOLBin.
- Monitor endpoint telemetry for the CADImage plugin DLL (CADIMAGE.DLL) loaded into IrfanView, and correlate with subsequent anomalous memory or thread activity.
- Use YARA rules that flag DXF files with malformed section headers, oversized group codes, or entity records that exceed declared bounds.
Monitoring Recommendations
- Ingest IrfanView process telemetry and Windows Error Reporting crash data into a centralized SIEM for correlation across endpoints.
- Enable Windows Defender Exploit Guard or equivalent to log Data Execution Prevention (DEP) and Control Flow Guard (CFG) violations originating from IrfanView.
- Track email and web gateways for .dxf file transfers, and route uncommon senders through sandbox detonation before delivery.
How to Mitigate CVE-2025-7325
Immediate Actions Required
- Inventory endpoints running IrfanView and identify systems where the CADImage plugin is installed.
- Restrict opening of DXF files from untrusted sources, including email attachments and unverified downloads, until a patched plugin version is deployed.
- Remove or disable the CADImage plugin on hosts that do not require CAD file support in IrfanView.
Patch Information
CADSoftTools has not published a specific patched version identifier in the referenced advisory. Administrators should consult the Zero Day Initiative Advisory ZDI-25-572 and the CADSoftTools download page for the latest CADImage plugin release, then apply the update to all affected IrfanView installations. Verify the plugin version after installation to confirm remediation.
Workarounds
- Uninstall or disable the CADImage plugin by removing CADIMAGE.DLL from the IrfanView Plugins directory until an updated build is available.
- Change the default handler for .dxf files to a viewer that does not use the vulnerable plugin, and block execution of IrfanView on DXF files through application control policies.
- Enforce Attack Surface Reduction rules that prevent Office and browser processes from launching IrfanView with attacker-supplied file arguments.
# Example: remove the CADImage plugin DLL as a temporary workaround
del "C:\Program Files\IrfanView\Plugins\CADIMAGE.DLL"
del "C:\Program Files (x86)\IrfanView\Plugins\CADIMAGE.DLL"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

