CVE-2025-7294
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The flaw exists in improper memory handling during DXF file parsing, enabling attackers to run code with the same privileges as the IrfanView process. Users of IrfanView with the CADImage plugin installed are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or system disruption on the compromised workstation.
If Mitigated
Limited impact to isolated systems with proper application sandboxing and user privilege restrictions, potentially resulting only in application crashes.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is memory corruption-based requiring specific file crafting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown from provided references - check vendor advisory
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-543/
Restart Required: Yes
Instructions:
1. Visit IrfanView official website
2. Download latest version with CADImage plugin updates
3. Install update
4. Restart system
🔧 Temporary Workarounds
Disable DXF file association
windowsRemove IrfanView as default handler for DXF files to prevent automatic opening
Control Panel > Default Programs > Set Associations > Remove IrfanView from .dxf
Uninstall CADImage plugin
windowsRemove the vulnerable plugin while maintaining core IrfanView functionality
Control Panel > Programs > Uninstall IrfanView CADImage Plugin
🧯 If You Can't Patch
- Implement application whitelisting to block IrfanView execution
- Use endpoint protection with memory corruption exploit prevention
🔍 How to Verify
Check if Vulnerable:
Check IrfanView Help > About for CADImage plugin version and compare with patched version from vendor advisoryCheck Version:
irfanview.exe /? or check Help > About in applicationVerify Fix Applied:
Verify installed version matches or exceeds patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- IrfanView process spawning unexpected child processes
- Multiple IrfanView crashes with memory access violations
- DXF file processing errors in application logs
Network Indicators:
- Outbound connections from IrfanView process to unknown IPs
- Unusual network traffic following DXF file opening
SIEM Query:
Process Creation where Image contains 'i_view' AND ParentImage contains 'explorer' AND CommandLine contains '.dxf'