CVE-2025-7238
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. Attackers can gain full control of the affected system through a buffer overflow in the DXF parsing component. Users of IrfanView with the CADImage plugin installed are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation or system compromise when users open malicious DXF files from untrusted sources, with attackers typically gaining user-level access.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the damage to the application context.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is an out-of-bounds write that can lead to arbitrary code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView updates or vendor advisory for specific version
Vendor Advisory: https://www.irfanview.com/
Restart Required: Yes
Instructions:
1. Open IrfanView
2. Go to Help > Check for Updates
3. Follow update instructions
4. Restart IrfanView after update
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView
Navigate to IrfanView plugins folder and remove or rename CADImage plugin files
Block DXF File Association
windowsPrevent IrfanView from opening DXF files by default
Use Windows File Association settings to change DXF file handler to another application
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized code
- Use endpoint protection with exploit prevention capabilities
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version and verify if CADImage plugin is installed/enabledCheck Version:
Open IrfanView and go to Help > About or check program propertiesVerify Fix Applied:
Verify IrfanView has been updated to latest version and CADImage plugin version is patched📡 Detection & Monitoring
Log Indicators:
- IrfanView crash logs with memory access violations
- Unexpected process creation from IrfanView
Network Indicators:
- Downloads of DXF files from untrusted sources
- Outbound connections from IrfanView process
SIEM Query:
Process Creation where Parent Process contains 'i_view' AND Command Line contains '.dxf'