CVE-2025-7260
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The flaw exists in improper buffer validation during DXF parsing, enabling out-of-bounds writes that can lead to remote code execution. Users of IrfanView with the CADImage plugin installed are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malware installation or data exfiltration when users open malicious DXF files from untrusted sources.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the application.
🎯 Exploit Status
Exploitation requires user interaction but the vulnerability is in a widely used plugin. ZDI has confirmed the vulnerability, suggesting exploit development is feasible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest IrfanView and plugin updates
Vendor Advisory: https://www.irfanview.com/
Restart Required: No
Instructions:
1. Open IrfanView
2. Go to Help > Check for Updates
3. Install all available updates
4. Verify CADImage plugin is updated to latest version
🔧 Temporary Workarounds
Disable DXF file association
windowsRemove IrfanView as default handler for DXF files
Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .DXF
Remove CADImage plugin
windowsTemporarily disable or remove the vulnerable plugin
Navigate to IrfanView plugins folder and move or delete CADImage plugin files
🧯 If You Can't Patch
- Implement application whitelisting to block IrfanView execution
- Use Windows Defender Application Control or similar to restrict IrfanView to trusted directories only
🔍 How to Verify
Check if Vulnerable:
Check IrfanView Help > About for version and verify CADImage plugin is presentCheck Version:
irfanview.exe /?Verify Fix Applied:
Confirm IrfanView and all plugins are updated to latest versions from official site📡 Detection & Monitoring
Log Indicators:
- IrfanView crashes when opening DXF files
- Unexpected child processes spawned from IrfanView
Network Indicators:
- IrfanView making unexpected outbound connections after opening files
SIEM Query:
Process Creation where Image contains 'irfanview' AND ParentImage contains 'explorer' AND CommandLine contains '.dxf'