Skip to main content
CVE Vulnerability Database

CVE-2025-7979: Ashlar Graphite RCE Vulnerability

CVE-2025-7979 is a stack-based buffer overflow RCE flaw in Ashlar-Vellum Graphite VC6 file parsing that enables remote code execution. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7979 Overview

CVE-2025-7979 is a stack-based buffer overflow [CWE-121] in Ashlar-Vellum Graphite that enables arbitrary code execution when a user opens a crafted VC6 file. The flaw resides in the VC6 file parser, which copies user-supplied data into a fixed-size stack buffer without validating its length. An attacker must convince the target to open a malicious file or visit a malicious page hosting one. Successful exploitation runs code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-25463 and disclosed in advisory ZDI-25-633.

Critical Impact

Opening a malicious VC6 file in Ashlar-Vellum Graphite grants an attacker code execution with the privileges of the user running the application.

Affected Products

  • Ashlar-Vellum Graphite 13.0.48
  • Workstations used for CAD design with Graphite installed
  • Engineering and manufacturing environments processing untrusted .vc6 files

Discovery Timeline

  • 2025-09-17 - CVE-2025-7979 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7979

Vulnerability Analysis

The vulnerability resides in the VC6 file format parser within Ashlar-Vellum Graphite. When Graphite loads a VC6 file, the parser reads length-prefixed or delimited fields from the file and copies that data into a stack-allocated buffer. The parser does not verify that the source length fits within the destination buffer. A crafted VC6 file containing oversized fields overwrites the saved return address, frame pointer, and any structured exception handler records on the stack.

Exploitation requires user interaction. The victim must open the malicious file directly, retrieve it from a phishing email, or load it from a web page that triggers the application handler. Once the overflow occurs, the attacker controls execution flow and runs arbitrary code with the privileges of the logged-in user. On engineering workstations that account is often a local administrator, which expands the impact to credential theft, persistence, and lateral movement.

Root Cause

The defect maps to [CWE-121] Stack-based Buffer Overflow. The parser trusts attacker-controlled length fields embedded in the VC6 file structure and performs a copy operation without bounds checking against the destination buffer size.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a weaponized VC6 file through email, shared drives, supply chain channels, or a drive-by download. Once Graphite parses the file, the overflow triggers and shellcode executes inside the Graphite process. No network privileges are needed on the target system.

No public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-633 for vendor coordination details.

Detection Methods for CVE-2025-7979

Indicators of Compromise

  • Unexpected crashes or Graphite.exe access violation events in the Windows Application event log shortly after opening a .vc6 file
  • VC6 files arriving from untrusted email senders, external file shares, or download directories
  • Child processes spawned by Graphite.exe such as cmd.exe, powershell.exe, or rundll32.exe
  • Outbound network connections initiated by Graphite.exe to unfamiliar destinations

Detection Strategies

  • Monitor process lineage for any child process created by Graphite.exe, which under normal operation does not launch shells or scripting hosts
  • Alert on memory protection changes and WriteProcessMemory activity within the Graphite process indicating shellcode staging
  • Inspect VC6 files at the email and web gateway for anomalous size or malformed headers before delivery to end users

Monitoring Recommendations

  • Enable command-line and module-load auditing on workstations running Graphite to capture post-exploitation activity
  • Forward endpoint telemetry to a centralized SIEM and correlate Graphite crashes with subsequent process or network anomalies
  • Track file write events for .vc6 extensions in user download and temporary directories

How to Mitigate CVE-2025-7979

Immediate Actions Required

  • Restrict opening of VC6 files to those originating from trusted internal sources until a vendor patch is applied
  • Train CAD operators to verify the source of any .vc6 file before opening it in Graphite
  • Run Graphite under a standard user account rather than a local administrator to limit post-exploitation impact
  • Apply application allowlisting to prevent Graphite.exe from spawning shells or scripting interpreters

Patch Information

At the time of publication, no fixed version is referenced in the NVD entry. Review the Zero Day Initiative Advisory ZDI-25-633 and the Ashlar-Vellum support channels for an updated build of Graphite that addresses the VC6 parser flaw.

Workarounds

  • Block inbound .vc6 attachments at the email gateway and quarantine them for manual review
  • Disable file association handlers that automatically launch Graphite from browsers or document viewers
  • Isolate engineering workstations that process external CAD files on a segmented VLAN with restricted outbound access
  • Enforce Windows Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) system-wide to raise the cost of exploitation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.