CVE-2025-7272 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-7272?

CVE-2025-7272 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The memory corruption flaw in DXF file parsing can lead to complete system compromise. Users of IrfanView with the CADImage plugin installed are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The memory corruption flaw in DXF file parsing can lead to complete system compromise. Users of IrfanView with the CADImage plugin installed are affected.

💻 Affected Systems

Products:

IrfanView CADImage Plugin

Versions: Versions prior to the fix (specific version unknown from provided data)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CADImage plugin installation and user interaction to open malicious DXF file

📦 What is this software?

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious DXF files from untrusted sources.

🟢

If Mitigated

Limited impact if user runs with minimal privileges and security controls prevent execution of malicious payloads.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file) but exploit development is likely straightforward given the memory corruption nature

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown from provided references

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-521/

Restart Required: No

Instructions:

1. Check IrfanView official website for updates
2. Update to latest version of IrfanView and CADImage plugin
3. Verify plugin version after update

🔧 Temporary Workarounds

Disable CADImage Plugin

windows

Remove or disable the vulnerable CADImage plugin from IrfanView

Navigate to IrfanView plugins directory and remove CADImage plugin files

Block DXF File Association

windows

Prevent IrfanView from opening DXF files by default

Use Windows File Association settings to change DXF file handler

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized executables
Restrict user privileges to limit potential damage from exploitation

🔍 How to Verify

Check if Vulnerable:

Check IrfanView Help > About dialog for version information and verify CADImage plugin is installed

Check Version:

irfanview.exe /? or check Help > About in the application

Verify Fix Applied:

Update IrfanView and CADImage plugin, then verify version is newer than vulnerable versions

📡 Detection & Monitoring

Log Indicators:

IrfanView process spawning unexpected child processes
Crash logs from IrfanView when processing DXF files

Network Indicators:

Outbound connections from IrfanView process to suspicious IPs

SIEM Query:

Process Creation where ParentImage contains 'irfanview.exe' and CommandLine contains '.dxf'

📊 Metadata

CVE ID: CVE-2025-7272

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.06% exploit probability (17.1th percentile)

Published: July 21, 2025

Last Updated: July 25, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-521/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7272, you might also want to check these: