CVE-2025-7222: 
Homebrew vulnerability analysis and mitigation

Luxion KeyShot contains a remote code execution vulnerability (CVE-2025-7222) discovered in July 2025. The vulnerability exists within the parsing of 3DM files and allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability as the target must visit a malicious page or open a malicious file (Zero Day Initiative).

The specific vulnerability stems from the lack of proper validation of user-supplied data during 3DM file parsing, which can result in a write past the end of an allocated buffer (out-of-bounds write). The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Zero Day Initiative).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current process, potentially gaining the same privileges as the compromised application. This could lead to complete system compromise if the application runs with elevated privileges (Zero Day Initiative).

Luxion has issued an update to correct this vulnerability. Users are advised to apply the security update available through the vendor's security advisory page (KeyShot CSIRT, Zero Day Initiative).