CVE-2025-0904 Overview
CVE-2025-0904 is an out-of-bounds read vulnerability in PDF-XChange Editor that occurs during the parsing of XPS files. The flaw allows remote attackers to disclose sensitive information from affected installations. Exploitation requires user interaction, where the target must open a malicious XPS file or visit a malicious page that delivers one.
The vulnerability was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-25422 and is tracked under ZDI-25-071. Attackers can combine the information disclosure with other vulnerabilities to achieve arbitrary code execution in the context of the current process.
Critical Impact
Memory disclosure from XPS parsing enables attackers to bypass mitigations and chain into arbitrary code execution within the PDF-XChange Editor process.
Affected Products
- PDF-XChange Editor (all versions prior to the vendor fix)
- PDF-XChange products that share the affected XPS parsing component
- Windows endpoints with PDF-XChange Editor configured as default XPS handler
Discovery Timeline
- 2025-02-11 - CVE-2025-0904 published to NVD
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2025-0904
Vulnerability Analysis
The vulnerability resides in the XPS file parsing logic of PDF-XChange Editor. XPS (XML Paper Specification) is an XML-based document format that PDF-XChange Editor supports for import and conversion. When the parser processes a crafted XPS structure, it reads beyond the bounds of an allocated buffer [CWE-125].
The out-of-bounds read returns adjacent heap memory contents to the attacker-controlled processing path. This memory may contain pointers, object metadata, or other sensitive data that defeats Address Space Layout Randomization (ASLR). An attacker who successfully leaks these values can construct reliable exploits for paired memory corruption issues.
Exploitation requires the victim to open a malicious XPS file. The attacker delivers the file through phishing, web download, or any vector that induces the user to launch the document in PDF-XChange Editor.
Root Cause
The root cause is insufficient validation of user-supplied data sizes and offsets within the XPS parsing routines. The parser trusts length or index values embedded in the file without verifying them against the actual allocated buffer size. This permits a read past the end of the object.
Attack Vector
The attack vector is network-delivered file content requiring user interaction. The attacker hosts or distributes a malicious XPS file and convinces the target to open it. The compromised parse routine then leaks memory back to attacker-controlled rendering paths or scripts embedded in the document. Chained with a write primitive from a separate vulnerability, this primitive enables arbitrary code execution.
No verified public proof-of-concept code is available. Technical specifics are documented in the Zero Day Initiative Advisory ZDI-25-071.
Detection Methods for CVE-2025-0904
Indicators of Compromise
- XPS files (.xps, .oxps) arriving via email attachments or web downloads from untrusted sources
- Unexpected PDFXEdit.exe process crashes or hangs immediately after opening an XPS document
- PDF-XChange Editor child processes spawning command interpreters such as cmd.exe or powershell.exe
- Outbound network connections initiated by PDFXEdit.exe shortly after document open events
Detection Strategies
- Monitor process telemetry for PDF-XChange Editor opening XPS files followed by anomalous memory access patterns or crashes
- Inspect email gateways and web proxies for inbound XPS attachments and quarantine for sandbox analysis
- Apply EDR behavioral rules that flag document reader processes performing process injection or spawning shell interpreters
Monitoring Recommendations
- Centralize endpoint logs to identify clusters of PDF-XChange Editor crashes that may indicate exploitation attempts
- Track installed versions of PDF-XChange Editor across the fleet and alert on outdated builds
- Audit user reports of malformed documents and correlate with file hashes seen in threat intelligence feeds
How to Mitigate CVE-2025-0904
Immediate Actions Required
- Update PDF-XChange Editor to the latest version released by Tracker Software Products that addresses ZDI-25-071
- Block inbound XPS file attachments at email gateways until patching is complete
- Educate users to avoid opening XPS files from unknown or untrusted sources
- Apply application allowlisting to restrict execution of unexpected child processes from PDFXEdit.exe
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-071 for vendor remediation status. Administrators should obtain the corrected installer directly from the PDF-XChange vendor portal and verify the build number against the advisory before deployment.
Workarounds
- Remove PDF-XChange Editor as the default handler for .xps and .oxps file extensions
- Use Group Policy or file association management to route XPS files through a sandboxed viewer
- Disable preview pane integration in mail clients that may auto-render XPS attachments
- Configure host-based controls to deny network egress from PDFXEdit.exe where not operationally required
# Example: remove XPS file association on Windows endpoints
assoc .xps=
assoc .oxps=
ftype XPSFile=
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
