CVE-2025-6647: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains a remote code execution vulnerability (CVE-2025-6647) that affects the parsing of U3D files. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on June 25, 2025. This security flaw affects installations of PDF-XChange Editor version 10.5.2.395 and requires user interaction to exploit, such as opening a malicious file or visiting a malicious page (ZDI Advisory, NVD).

The vulnerability stems from an out-of-bounds write issue within the parsing of U3D files. The specific flaw results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of PDF-XChange Editor. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the system (ZDI Advisory).

PDF-XChange has released version 10.6.0.396 to address this vulnerability. Users are advised to update their installations to the latest version (PDF-XChange Bulletin).