CVE-2025-7276
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. Attackers can gain full control of the affected system through memory corruption during DXF file parsing. Users of IrfanView with the CADImage plugin installed are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious actors deliver weaponized DXF files via email or websites, leading to system compromise when users open these files with vulnerable IrfanView installations.
If Mitigated
With proper controls, the impact is limited to the user context with no privilege escalation, but still allows local code execution and potential data access.
🎯 Exploit Status
User interaction required (opening malicious file). The vulnerability is memory corruption-based RCE which is commonly weaponized once details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory, but ZDI-25-523 indicates a fix exists
Vendor Advisory: https://www.irfanview.com/
Restart Required: No
Instructions:
1. Visit https://www.irfanview.com/ 2. Download latest version of IrfanView 3. Install over existing installation 4. Ensure CADImage plugin is updated
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView
Navigate to IrfanView plugins directory and remove or rename CADImage.dll
Block DXF File Association
windowsPrevent IrfanView from opening DXF files by default
Control Panel > Default Programs > Associate a file type or protocol with a program > Change .dxf to open with different application
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of IrfanView
- Use email/web filtering to block DXF files from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version and plugin version. If using CADImage plugin and version is not the latest, assume vulnerable.Check Version:
Open IrfanView > Help > About or check file properties of IrfanView.exeVerify Fix Applied:
Verify IrfanView and CADImage plugin are updated to latest versions from official website📡 Detection & Monitoring
Log Indicators:
- IrfanView process crashes when opening DXF files
- Unusual process creation from IrfanView.exe
Network Indicators:
- Downloads of DXF files from suspicious sources
- Outbound connections from IrfanView process
SIEM Query:
Process Creation: ParentImage contains 'irfanview' AND (CommandLine contains '.dxf' OR Image contains suspicious patterns)