CVE-2025-6659: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2025-6659 is a remote code execution vulnerability affecting PDF-XChange Editor, discovered and disclosed on June 25, 2025. The vulnerability exists within the parsing of PRC files and allows remote attackers to execute arbitrary code on affected installations of the software. User interaction is required to exploit this vulnerability, specifically requiring the target to visit a malicious page or open a malicious file (NVD, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during PRC file parsing, which can result in a write past the end of an allocated buffer. It has been classified as CWE-787 (Out-of-bounds Write). The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory, Wiz).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of PDF-XChange Editor. The high severity rating indicates potential for complete compromise of system confidentiality, integrity, and availability, although user interaction is required for successful exploitation (ZDI Advisory).

PDF-XChange has released version 10.6.0.396 to address this vulnerability. Users are advised to update to the latest version of the software. The fix was released on May 6, 2025, as part of a security update that addresses multiple vulnerabilities (Security Bulletin).