CVE-2025-7324
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files with IrfanView's CADImage plugin. The flaw exists in improper buffer validation during DXF file parsing, enabling out-of-bounds reads that can lead to remote code execution. Users of IrfanView with the CADImage plugin are affected.
💻 Affected Systems
- IrfanView CADImage Plugin
📦 What is this software?
Cadimage by Cadsofttools
Cadimage by Cadsofttools
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malware installation or data exfiltration when users open malicious DXF files from untrusted sources.
If Mitigated
Limited impact with proper user training and file restrictions, though successful exploitation still grants process-level access.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is publicly disclosed via ZDI advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown from provided data - check vendor advisory
Vendor Advisory: https://www.irfanview.com/
Restart Required: No
Instructions:
1. Visit IrfanView official website
2. Download latest version with CADImage plugin updates
3. Install over existing installation
4. Verify plugin version is updated
🔧 Temporary Workarounds
Disable CADImage Plugin
windowsRemove or disable the vulnerable plugin to prevent exploitation
Navigate to IrfanView plugins directory and remove CADImage plugin files
File Association Removal
windowsRemove DXF file association with IrfanView
Control Panel > Default Programs > Set Associations > Remove .DXF from IrfanView
🧯 If You Can't Patch
- Implement application whitelisting to block IrfanView execution
- Use email/web gateways to block DXF file attachments and downloads
🔍 How to Verify
Check if Vulnerable:
Check IrfanView Help > About dialog for CADImage plugin version and compare with patched version from vendor advisoryCheck Version:
irfanview.exe (from Help > About menu)Verify Fix Applied:
Verify installed version matches or exceeds patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- IrfanView process crashes when opening DXF files
- Unusual child processes spawned from IrfanView
Network Indicators:
- Downloads of DXF files from untrusted sources
- Outbound connections from IrfanView process
SIEM Query:
Process Creation where Parent Process Name contains 'i_view' AND (Command Line contains '.dxf' OR Image contains suspicious patterns)