CVE-2025-7320 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-7320?

CVE-2025-7320 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView with the CADImage plugin. Attackers can exploit this by tricking users into opening malicious DXF files, leading to memory corruption and potential system compromise. Users of IrfanView with the CADImage plugin are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of IrfanView with the CADImage plugin. Attackers can exploit this by tricking users into opening malicious DXF files, leading to memory corruption and potential system compromise. Users of IrfanView with the CADImage plugin are affected.

💻 Affected Systems

Products:

IrfanView CADImage Plugin

Versions: Specific versions not specified in advisory - all versions before patch

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires IrfanView with CADImage plugin installed. User must open malicious DXF file.

📦 What is this software?

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

Cadimage by Cadsofttools

View all CVEs affecting Cadimage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or malware installation on the victim's system, with potential for data exfiltration or persistence mechanisms.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file). ZDI-CAN-26418 tracking number indicates coordinated disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check IrfanView updates for CADImage plugin fix

Vendor Advisory: https://www.irfanview.com/

Restart Required: Yes

Instructions:

1. Open IrfanView
2. Go to Help > Check for Updates
3. Install available updates
4. Restart IrfanView

🔧 Temporary Workarounds

Disable CADImage Plugin

windows

Remove or disable the vulnerable CADImage plugin from IrfanView

Navigate to IrfanView plugins folder and remove CADImage.dll or similar plugin files

Block DXF File Association

windows

Prevent IrfanView from opening DXF files by default

Control Panel > Default Programs > Associate a file type or protocol with a program > Change .dxf association to another program

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized IrfanView execution
Use endpoint protection with memory corruption detection capabilities

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version and verify CADImage plugin is present in plugins folder

Check Version:

Open IrfanView > Help > About IrfanView

Verify Fix Applied:

Verify IrfanView is updated to latest version and CADImage plugin version is patched

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs with memory access violations
Unexpected IrfanView process spawning child processes

Network Indicators:

Unusual outbound connections from IrfanView process

SIEM Query:

Process Creation where Image contains 'i_view' and CommandLine contains '.dxf'

📊 Metadata

CVE ID: CVE-2025-7320

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.06% exploit probability (17.1th percentile)

Published: July 21, 2025

Last Updated: July 25, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-567/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7320, you might also want to check these: