CVE-2025-7222 Overview
CVE-2025-7222 is an out-of-bounds write vulnerability [CWE-787] in Luxion KeyShot that allows attackers to execute arbitrary code on affected installations. The flaw exists in the parser for 3DM files and results from missing validation of user-supplied data. An attacker can craft a malicious 3DM file that writes past the end of an allocated buffer when opened in KeyShot. Exploitation requires user interaction: the target must open a malicious file or visit a malicious page that delivers one. Successful exploitation grants code execution in the context of the current KeyShot process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26473 and published under advisory ZDI-25-587.
Critical Impact
A malicious 3DM file can trigger an out-of-bounds write in KeyShot and execute arbitrary code with the privileges of the user running the application.
Affected Products
- Luxion KeyShot 13.2.1
- Earlier KeyShot releases that share the vulnerable 3DM parser
- Workstations and design environments that process untrusted 3DM files in KeyShot
Discovery Timeline
- 2025-07-21 - CVE-2025-7222 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7222
Vulnerability Analysis
The vulnerability lives inside the KeyShot routine that parses 3DM model files, the native format used by Rhinoceros 3D and consumed by KeyShot for rendering. The parser reads attacker-controlled length or offset fields from the file and uses them to write data into a heap buffer without verifying that the destination remains within the allocation. The result is an out-of-bounds write [CWE-787] on the heap.
An attacker who controls the overflowing bytes can corrupt adjacent heap metadata, function pointers, or C++ object virtual tables that KeyShot resolves during rendering. By shaping the heap layout before triggering the overflow, an attacker can convert the write primitive into control of the instruction pointer and execute code in the KeyShot process. Because KeyShot runs with the privileges of the interactive user, successful exploitation yields full access to that user's files, credentials cached on disk, and network resources the user can reach.
The attack vector is local and requires user interaction, but 3DM files are routinely exchanged between designers, contractors, and clients, which makes targeted delivery through email, shared drives, or compromised supplier portals realistic.
Root Cause
The root cause is improper input validation in the 3DM chunk parser. Length values embedded in the file are trusted and used to size or index write operations against a fixed or pre-sized heap buffer. The parser does not bound-check these values against the actual allocation, allowing a crafted record to extend the write beyond the buffer.
Attack Vector
An attacker prepares a weaponized 3DM file and delivers it to a KeyShot user through phishing, a shared project folder, or a malicious web page that prompts the file to be opened. When the user opens the file in KeyShot, the malformed chunk is parsed, the out-of-bounds write fires, and the embedded payload executes in the rendering process. No network exposure of the host is required.
No public proof-of-concept code is available for CVE-2025-7222. Technical specifics are described in the Zero Day Initiative advisory ZDI-25-587.
Detection Methods for CVE-2025-7222
Indicators of Compromise
- KeyShot processes (keyshot.exe, keyshot_network_*) spawning command interpreters such as cmd.exe, powershell.exe, or /bin/sh shortly after opening a 3DM file.
- Unexpected child processes, DLL loads, or scripting engines initiated from the KeyShot installation directory.
- 3DM files delivered from external senders, shared portals, or removable media that crash KeyShot or trigger Windows Error Reporting entries for keyshot.exe.
- Outbound network connections from the KeyShot process to non-Luxion infrastructure immediately after file open.
Detection Strategies
- Hunt for process-tree anomalies where KeyShot is the parent of shells, rundll32.exe, regsvr32.exe, or LOLBins.
- Flag KeyShot crash events correlated with recent 3DM file access, since exploit attempts often produce parser crashes during development and delivery.
- Inspect email and file-sharing logs for .3dm attachments originating outside trusted design partners.
Monitoring Recommendations
- Forward KeyShot process telemetry, file open events, and Windows Error Reporting data to a central SIEM or data lake for correlation.
- Alert on writes by keyshot.exe to autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run or user Startup folders.
- Monitor egress from workstations running KeyShot for connections to newly registered or low-reputation domains following 3DM file activity.
How to Mitigate CVE-2025-7222
Immediate Actions Required
- Inventory all systems with Luxion KeyShot installed, prioritizing version 13.2.1 and earlier, and identify users who routinely handle externally sourced 3DM files.
- Apply the fixed KeyShot release published by Luxion as soon as it is available from the Keyshot CSIRT Resource.
- Instruct designers to open 3DM files only from verified sources until patching is complete.
- Review the Zero Day Initiative Advisory ZDI-25-587 for vendor and disclosure status.
Patch Information
Luxion tracks remediation through its CSIRT program. Refer to the Keyshot CSIRT Resource for the current fixed build and upgrade guidance. Upgrade affected workstations to the patched KeyShot release once published, and remove or quarantine older installers from internal software repositories.
Workarounds
- Block inbound .3dm attachments at the mail gateway from senders outside the approved design supply chain.
- Restrict KeyShot to a non-administrative user account and apply application allow-listing to limit child-process execution.
- Open untrusted 3DM files only inside an isolated virtual machine or sandboxed workstation with no access to production credentials or shares.
- Disable file association auto-open for .3dm files in browsers and require manual download and inspection before opening.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

