CVE-2025-6652: 
PDF-XChange Editor vulnerability analysis and mitigation

A vulnerability (CVE-2025-6652) was discovered in PDF-XChange Editor that allows remote attackers to disclose sensitive information on affected installations. The vulnerability was disclosed on June 25, 2025, and affects PDF-XChange Editor version 10.5.2.395. User interaction is required to exploit this vulnerability, specifically requiring the target to visit a malicious page or open a malicious file (NVD CVE, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of PRC files. The specific flaw results in a read operation past the end of an allocated object, classified as an Out-of-Bounds Read vulnerability (CWE-125). The vulnerability has been assigned a CVSS v3.0 base score of 3.3 (LOW) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating local access is required and user interaction is necessary for exploitation (ZDI Advisory).

When successfully exploited, this vulnerability enables attackers to disclose sensitive information on affected installations of PDF-XChange Editor. While the direct impact is considered low severity, the vulnerability could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (NVD CVE).

PDF-XChange has released version 10.6.0.396 to address this vulnerability. Users are advised to update to the latest version of the software to mitigate the risk (PDF-XChange Security).