CVE-2025-7979 Overview
CVE-2025-7979 is a stack-based buffer overflow [CWE-121] in Ashlar-Vellum Graphite that enables arbitrary code execution when a user opens a crafted VC6 file. The flaw resides in the VC6 file parser, which copies user-supplied data into a fixed-size stack buffer without validating its length. An attacker must convince the target to open a malicious file or visit a malicious page hosting one. Successful exploitation runs code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-25463 and disclosed in advisory ZDI-25-633.
Critical Impact
Opening a malicious VC6 file in Ashlar-Vellum Graphite grants an attacker code execution with the privileges of the user running the application.
Affected Products
- Ashlar-Vellum Graphite 13.0.48
- Workstations used for CAD design with Graphite installed
- Engineering and manufacturing environments processing untrusted .vc6 files
Discovery Timeline
- 2025-09-17 - CVE-2025-7979 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7979
Vulnerability Analysis
The vulnerability resides in the VC6 file format parser within Ashlar-Vellum Graphite. When Graphite loads a VC6 file, the parser reads length-prefixed or delimited fields from the file and copies that data into a stack-allocated buffer. The parser does not verify that the source length fits within the destination buffer. A crafted VC6 file containing oversized fields overwrites the saved return address, frame pointer, and any structured exception handler records on the stack.
Exploitation requires user interaction. The victim must open the malicious file directly, retrieve it from a phishing email, or load it from a web page that triggers the application handler. Once the overflow occurs, the attacker controls execution flow and runs arbitrary code with the privileges of the logged-in user. On engineering workstations that account is often a local administrator, which expands the impact to credential theft, persistence, and lateral movement.
Root Cause
The defect maps to [CWE-121] Stack-based Buffer Overflow. The parser trusts attacker-controlled length fields embedded in the VC6 file structure and performs a copy operation without bounds checking against the destination buffer size.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a weaponized VC6 file through email, shared drives, supply chain channels, or a drive-by download. Once Graphite parses the file, the overflow triggers and shellcode executes inside the Graphite process. No network privileges are needed on the target system.
No public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-633 for vendor coordination details.
Detection Methods for CVE-2025-7979
Indicators of Compromise
- Unexpected crashes or Graphite.exe access violation events in the Windows Application event log shortly after opening a .vc6 file
- VC6 files arriving from untrusted email senders, external file shares, or download directories
- Child processes spawned by Graphite.exe such as cmd.exe, powershell.exe, or rundll32.exe
- Outbound network connections initiated by Graphite.exe to unfamiliar destinations
Detection Strategies
- Monitor process lineage for any child process created by Graphite.exe, which under normal operation does not launch shells or scripting hosts
- Alert on memory protection changes and WriteProcessMemory activity within the Graphite process indicating shellcode staging
- Inspect VC6 files at the email and web gateway for anomalous size or malformed headers before delivery to end users
Monitoring Recommendations
- Enable command-line and module-load auditing on workstations running Graphite to capture post-exploitation activity
- Forward endpoint telemetry to a centralized SIEM and correlate Graphite crashes with subsequent process or network anomalies
- Track file write events for .vc6 extensions in user download and temporary directories
How to Mitigate CVE-2025-7979
Immediate Actions Required
- Restrict opening of VC6 files to those originating from trusted internal sources until a vendor patch is applied
- Train CAD operators to verify the source of any .vc6 file before opening it in Graphite
- Run Graphite under a standard user account rather than a local administrator to limit post-exploitation impact
- Apply application allowlisting to prevent Graphite.exe from spawning shells or scripting interpreters
Patch Information
At the time of publication, no fixed version is referenced in the NVD entry. Review the Zero Day Initiative Advisory ZDI-25-633 and the Ashlar-Vellum support channels for an updated build of Graphite that addresses the VC6 parser flaw.
Workarounds
- Block inbound .vc6 attachments at the email gateway and quarantine them for manual review
- Disable file association handlers that automatically launch Graphite from browsers or document viewers
- Isolate engineering workstations that process external CAD files on a segmented VLAN with restricted outbound access
- Enforce Windows Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) system-wide to raise the cost of exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

