CVE-2025-7298
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The flaw exists in how the plugin parses DXF files, enabling attackers to read beyond allocated buffers and potentially gain control of the affected system. Users of IrfanView with the CADImage plugin installed are at risk.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the user's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious code execution in the context of the current user, allowing file access, credential theft, and installation of additional malware.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than full compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) and knowledge of the vulnerability details. The ZDI advisory suggests the vulnerability is being actively researched.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check IrfanView website for latest version
Vendor Advisory: https://www.irfanview.com/
Restart Required: No
Instructions:
1. Visit https://www.irfanview.com/
2. Download and install the latest version of IrfanView
3. Ensure the CADImage plugin is updated to the latest version
4. Verify the update by checking the plugin version in IrfanView's plugin information
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable CADImage plugin from IrfanView
Navigate to IrfanView plugins directory and remove or rename the CADImage plugin file
Block DXF Files
windowsPrevent IrfanView from opening DXF files via file association changes
Use Windows Settings > Apps > Default apps to change DXF file association away from IrfanView
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of IrfanView
- Use network segmentation to isolate systems running IrfanView from critical assets
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version and plugin version. If using a version prior to the security update with CADImage plugin enabled, the system is vulnerable.Check Version:
Open IrfanView, go to Help > About, check version informationVerify Fix Applied:
Verify IrfanView and CADImage plugin are updated to the latest version from the official website. Test with known safe DXF files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- IrfanView process crashes when opening DXF files
- Unexpected network connections from IrfanView process
- Creation of suspicious files or processes by IrfanView
Network Indicators:
- Downloads of DXF files from untrusted sources
- Outbound connections from IrfanView to suspicious IPs
SIEM Query:
Process:IrfanView AND (FileExtension:DXF OR FileName:*.dxf) AND (EventID:1000 OR EventID:1001)