Skip to main content
CVE Vulnerability Database

CVE-2025-6651: PDF-XChange Editor JP2 RCE Vulnerability

CVE-2025-6651 is a remote code execution vulnerability in PDF-XChange Editor caused by improper JP2 file parsing. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-6651 Overview

CVE-2025-6651 is an out-of-bounds write vulnerability [CWE-787] in PDF-XChange Editor and PDF-Tools. The flaw resides in the parser that processes JPEG 2000 (JP2) image streams embedded in PDF documents. The parser fails to validate user-supplied data before writing to an allocated buffer, allowing memory corruption past the buffer boundary.

Attackers can leverage this issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a crafted file or visit a malicious page that delivers the payload. The Zero Day Initiative tracks this issue as ZDI-25-436 (formerly ZDI-CAN-26713).

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the user running PDF-XChange Editor, enabling malware installation, credential theft, or lateral movement.

Affected Products

  • PDF-XChange Editor version 10.5.2.395
  • PDF-XChange PDF-Tools version 10.5.2.395
  • Earlier builds sharing the same JP2 parsing component

Discovery Timeline

  • 2025-06-25 - CVE-2025-6651 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6651

Vulnerability Analysis

The vulnerability exists in the JPEG 2000 image decoder used by PDF-XChange Editor and PDF-Tools. When the application parses a JP2 stream embedded within a PDF, it relies on size and offset values supplied by the file without verifying that they fit within the allocated destination buffer. A crafted JP2 stream causes the decoder to write decoded pixel or metadata bytes beyond the buffer boundary, corrupting adjacent heap structures.

Heap metadata or function pointers placed near the overflowed buffer can be overwritten, enabling control-flow hijacking. Because the vulnerability triggers during routine document rendering, no further user action is required after the file is opened.

Root Cause

The root cause is missing bounds validation on attacker-controlled length and offset fields inside the JP2 codestream. The parser trusts header-derived values and copies decoded data into a fixed-size allocation, producing a classic out-of-bounds write condition mapped to [CWE-787]. The defect is triggered entirely from values present in the malicious file, with no runtime guard catching the oversized write.

Attack Vector

The attack vector is local but exploitable through phishing or drive-by delivery. An attacker hosts or emails a PDF containing a malicious JP2 object. When the victim opens the document in PDF-XChange Editor, the parser corrupts memory and the attacker gains code execution under the user account. The vector requires user interaction (UI:R) but no prior authentication.

The vulnerability manifests during JP2 codestream decoding. See the Zero Day Initiative Advisory ZDI-25-436 for technical details.

Detection Methods for CVE-2025-6651

Indicators of Compromise

  • Unexpected child processes spawned by PDFXEdit.exe or PDFXTools.exe, such as cmd.exe, powershell.exe, or rundll32.exe
  • PDF files containing malformed JP2 streams with inconsistent codestream header sizes
  • Crash artifacts or Windows Error Reporting entries referencing access violations inside PDF-XChange image-decoding modules
  • Outbound network connections originating from the PDF-XChange Editor process shortly after a document is opened

Detection Strategies

  • Hunt for process-creation events where PDF-XChange binaries are the parent of shells, scripting engines, or regsvr32.exe
  • Inspect inbound PDF attachments for embedded /JPXDecode filters and validate JP2 marker integrity in a sandbox
  • Correlate document-open telemetry with subsequent suspicious file writes under %APPDATA% or %TEMP%

Monitoring Recommendations

  • Enable command-line and module-load auditing on endpoints that handle external PDFs
  • Forward EDR telemetry to a centralized data lake for cross-host correlation of PDF-XChange exploitation patterns
  • Alert on crashes of PDFXEdit.exe involving heap corruption or access-violation exception codes

How to Mitigate CVE-2025-6651

Immediate Actions Required

  • Upgrade PDF-XChange Editor and PDF-Tools to the fixed release listed in the PDF-XChange Security Bulletin
  • Inventory endpoints running version 10.5.2.395 or earlier and prioritize patching for users who handle external documents
  • Block delivery of PDFs from untrusted sources at the email gateway and web proxy until patches are deployed
  • Restrict local administrative rights so a successful exploit yields only standard user privileges

Patch Information

PDF-XChange has published fixed builds via the vendor security bulletin. Administrators should consult the PDF-XChange Security Bulletin and the Zero Day Initiative Advisory ZDI-25-436 for the precise fixed version and download locations.

Workarounds

  • Configure PDF-XChange Editor to open untrusted documents in a restricted user context or virtualized sandbox
  • Disable automatic preview of PDF attachments in mail clients and file explorers
  • Use Group Policy or Application Control to prevent PDF-XChange binaries from spawning command interpreters
  • Route inbound PDFs through a content-disarm-and-reconstruction (CDR) pipeline that flattens or rerenders embedded JP2 images
bash
# Example AppLocker rule fragment blocking shell spawn from PDF-XChange
# Place in a Software Restriction or AppLocker policy and enforce
New-AppLockerPolicy -RuleType Path \
  -User Everyone \
  -Action Deny \
  -Path "%PROGRAMFILES%\Tracker Software\PDF Editor\PDFXEdit.exe" \
  -ChildProcess "cmd.exe,powershell.exe,wscript.exe,cscript.exe"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.