CVE-2025-7975 Overview
CVE-2025-7975 is a directory traversal vulnerability in Anritsu ShockLine that enables remote code execution through malicious CHX files. The flaw exists in the CHX file parsing logic, which fails to validate user-supplied paths before performing file operations. An attacker can craft a malicious CHX file that, when opened by a user, executes arbitrary code in the context of the current user. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26913 and is tracked under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
A successful exploit allows attackers to execute arbitrary code with the privileges of the current user after the victim opens a crafted CHX file.
Affected Products
- Anritsu ShockLine (all versions prior to vendor remediation)
- Vector network analyzer software using the CHX file format parser
- Workstations running Anritsu ShockLine for RF and microwave measurement analysis
Discovery Timeline
- 2025-09-02 - CVE-2025-7975 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7975
Vulnerability Analysis
The vulnerability resides in the CHX file parser inside Anritsu ShockLine. CHX files are calibration and measurement data files used by Anritsu vector network analyzers. The parser reads file path values embedded within the CHX structure and subsequently uses them in file operations without canonicalization or validation.
Because the application trusts these embedded paths, an attacker can include traversal sequences such as ..\ to escape the intended working directory. The parser then writes or accesses files at attacker-controlled locations, enabling code execution when a target file is dropped into an auto-executed location such as a startup folder or a DLL search path.
Exploitation requires user interaction. The target must open a malicious CHX file or visit a page that triggers the application to process one. The attack runs locally but can be delivered through phishing or watering-hole distribution of weaponized CHX files.
Root Cause
The root cause is missing validation of user-supplied path components extracted from CHX files [CWE-22]. The application concatenates attacker-controlled strings with base directories and performs file operations without verifying that resolved paths remain within an allowed root. Standard mitigations such as canonical path resolution, allow-list filtering, and rejection of .. segments are not applied.
Attack Vector
The attack vector is local but does not require attacker authentication. An attacker distributes a malicious CHX file by email, web download, or shared storage. When the victim opens the file in ShockLine, the parser processes embedded path entries and writes attacker content to a location reachable by code execution primitives such as startup directories or library load paths. Subsequent code execution runs with the user's privileges.
// No verified public proof-of-concept code is available.
// See the Zero Day Initiative advisory ZDI-25-647 for technical details.
Detection Methods for CVE-2025-7975
Indicators of Compromise
- CHX files containing path traversal sequences such as ..\, ..%5c, or absolute path components inside embedded path fields
- Unexpected files written by the ShockLine process outside its installation and project directories
- Child processes spawned from the ShockLine executable that are not part of normal measurement workflows
- Modifications to user startup folders or per-user AppData directories shortly after a CHX file is opened
Detection Strategies
- Inspect CHX files at email and web gateways for path traversal patterns in embedded string fields
- Monitor endpoint file-write telemetry for the ShockLine process writing to paths outside the project workspace
- Alert on process-creation events where ShockLine spawns interpreters, shells, or unsigned binaries
- Correlate CHX file opens with subsequent writes to startup or autorun locations using EDR storyline data
Monitoring Recommendations
- Enable detailed file-system auditing on workstations running ShockLine and forward events to a centralized data lake
- Track process lineage for ShockLine and flag deviations from baseline behavior
- Hunt for CHX files received from external sources by scanning email attachments and download directories
- Review user reports of unexpected ShockLine behavior, crashes, or unfamiliar files appearing after opening measurement data
How to Mitigate CVE-2025-7975
Immediate Actions Required
- Restrict opening of CHX files to those received from trusted, verified sources only
- Apply application allow-listing to limit which binaries ShockLine and its child processes can launch
- Run ShockLine under a standard user account rather than a privileged account to limit impact of exploitation
- Block inbound CHX file delivery through email and web filtering until a vendor patch is applied
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-647 for vendor coordination status and remediation guidance. At publication of this advisory, customers should contact Anritsu support to confirm the availability of a fixed ShockLine release and update affected systems accordingly.
Workarounds
- Do not open CHX files from untrusted senders, public file shares, or unsolicited web downloads
- Quarantine and inspect CHX files in an isolated analysis environment before use on production engineering systems
- Remove ShockLine file associations for users who do not require CHX file handling, forcing manual review of incoming files
- Segment laboratory workstations running ShockLine from broader enterprise networks to limit lateral movement after compromise
# Example: scan a directory for CHX files containing path traversal sequences
grep -rIlE '\.\.[\\/]' /path/to/incoming/*.chx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

