Skip to main content
CVE Vulnerability Database

CVE-2025-0412: Luxion KeyShot RCE Vulnerability

CVE-2025-0412 is a memory corruption remote code execution vulnerability in Luxion KeyShot Viewer's KSP file parser. Attackers can exploit this flaw to run arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-0412 Overview

CVE-2025-0412 is a memory corruption vulnerability in Luxion KeyShot Viewer that allows attackers to execute arbitrary code through malicious KSP files. The flaw resides in the KSP file parser, which fails to properly validate user-supplied data before processing it. An attacker must convince a user to open a crafted KSP file or visit a page that delivers one. Successful exploitation runs code in the context of the current process. The issue was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-22139 and tracked publicly as ZDI-23-1716. The vulnerability is classified under [CWE-119], improper restriction of operations within the bounds of a memory buffer.

Critical Impact

Attackers can achieve arbitrary code execution on workstations running Luxion KeyShot Viewer when a user opens a malicious KSP file, enabling full compromise within the user's security context.

Affected Products

  • Luxion KeyShot
  • Luxion KeyShot Viewer (KSP file parser component)
  • Installations processing untrusted KSP files

Discovery Timeline

  • 2025-01-13 - CVE-2025-0412 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-0412

Vulnerability Analysis

The vulnerability resides in the KeyShot Viewer routine that parses KSP files. KSP is the KeyShot package format used to bundle scene data for distribution. The parser reads attacker-controlled fields from the file and uses them in memory operations without sufficient bounds checking. This leads to a memory corruption condition that an attacker can shape to redirect execution flow. Because the code path runs inside the viewer process, successful exploitation yields code execution with the privileges of the user opening the file. The vulnerability requires user interaction, which aligns with typical exploitation patterns for client-side document parsers.

Root Cause

The root cause is the lack of proper validation of user-supplied data during KSP file processing, classified as [CWE-119]. Length, offset, or type fields embedded in the KSP container are trusted by the parser and used to drive memory operations such as copies or structure population. When these fields exceed expected bounds, the parser writes or reads outside the intended buffer, corrupting adjacent memory. Attackers craft these values to achieve controlled corruption suitable for code execution.

Attack Vector

The attack vector is local file processing combined with user interaction. An attacker delivers a malicious KSP file through email, file sharing services, instant messaging, or a malicious web page that prompts a download. The victim opens the file in KeyShot Viewer, triggering the vulnerable parser. No authentication is required on the target system, and exploitation succeeds without elevated privileges. The resulting code executes in the security context of the user running the viewer.

No verified public proof-of-concept code is available. Technical specifics are described in the Zero Day Initiative Advisory ZDI-23-1716 and the Keyshot Security Certification.

Detection Methods for CVE-2025-0412

Indicators of Compromise

  • KSP files arriving from untrusted sources, particularly those received through email attachments or external file shares without prior business context.
  • Unexpected child processes spawned by the KeyShot Viewer executable, such as command interpreters, scripting engines, or network utilities.
  • Crashes or abnormal termination of KeyShot Viewer correlated with KSP file opens, recorded in Windows Application event logs.

Detection Strategies

  • Monitor process lineage where KeyShot Viewer is the parent process and flag any spawned shells, PowerShell, cmd.exe, rundll32.exe, or scripting hosts.
  • Inspect file system telemetry for KSP files written to temporary directories, download folders, or email cache paths followed by execution events.
  • Correlate endpoint crash telemetry from Windows Error Reporting with subsequent suspicious network connections from the same host.

Monitoring Recommendations

  • Enable command-line argument logging and process creation auditing on workstations where KeyShot Viewer is installed.
  • Forward endpoint, application crash, and proxy logs to a centralized analytics platform to enable cross-source correlation of KSP-related activity.
  • Establish a baseline of legitimate KeyShot Viewer behavior to make anomalous child processes and outbound connections easier to identify.

How to Mitigate CVE-2025-0412

Immediate Actions Required

  • Update Luxion KeyShot to the version identified in the Keyshot Security Certification advisory LSA-960930.
  • Inventory all endpoints with KeyShot Viewer installed and prioritize patching for users who routinely open files from external collaborators.
  • Block delivery of KSP attachments at the email gateway pending verification of patch deployment across the environment.

Patch Information

Luxion has released a fixed version documented in the vendor advisory LSA-960930. Administrators should review the official Luxion security advisory for exact fixed version numbers and apply updates through the standard KeyShot installer or enterprise deployment tooling. Confirm patched versions by checking the installed KeyShot Viewer version against the fixed release noted by Luxion.

Workarounds

  • Restrict opening of KSP files to those originating from verified internal sources or trusted partners with established file exchange procedures.
  • Apply application allowlisting policies to prevent KeyShot Viewer from spawning child processes such as shells or scripting interpreters.
  • Train users handling 3D rendering content to validate the origin of KSP files and to report unsolicited samples to the security team.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.