Skip to main content
CVE Vulnerability Database

CVE-2025-7980: Ashlar Graphite RCE Vulnerability

CVE-2025-7980 is a remote code execution flaw in Ashlar-Vellum Graphite caused by an out-of-bounds write when parsing VC6 files. Attackers can exploit this to run arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-7980 Overview

CVE-2025-7980 is an out-of-bounds write vulnerability [CWE-787] in Ashlar-Vellum Graphite, a computer-aided design (CAD) application. The flaw resides in the parser that handles VC6 files. An attacker who convinces a user to open a malicious VC6 file can write data past the end of an allocated buffer, leading to arbitrary code execution in the context of the current process. The Zero Day Initiative tracks this issue as ZDI-CAN-25465.

Critical Impact

Successful exploitation enables remote code execution on workstations running Ashlar-Vellum Graphite 13.0.48, compromising the confidentiality, integrity, and availability of CAD design assets and the host system.

Affected Products

  • Ashlar-Vellum Graphite 13.0.48
  • Ashlar-Vellum Graphite VC6 file parser component
  • Workstations processing untrusted Ashlar-Vellum CAD files

Discovery Timeline

  • 2025-09-17 - CVE-2025-7980 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7980

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] in the routine that parses VC6 files inside Ashlar-Vellum Graphite. The parser does not validate length or size fields supplied by the file before copying data into a fixed-size buffer. When a crafted VC6 file is opened, the parser writes attacker-controlled bytes beyond the end of the allocated buffer.

Memory corruption of this kind allows an attacker to overwrite adjacent heap or stack structures, including function pointers, vtables, or saved return addresses. With reliable control of the corrupted memory, the attacker can hijack execution flow within the Graphite process. Exploitation runs with the privileges of the user who opened the file, which typically equates to a standard desktop user but may include access to sensitive engineering data and network shares.

The vulnerability requires user interaction. The victim must open a malicious VC6 file or visit a page that delivers one. No authentication is required on the targeted system, and the attack surface is local file processing.

Root Cause

The defect originates from missing bounds validation on user-supplied data fields read from a VC6 file. The parser trusts size or offset values inside the file structure and uses them directly when writing into a destination buffer. Attackers craft a VC6 file with oversized or malformed fields to overflow the buffer.

Attack Vector

The attack vector is local file opening. An attacker distributes a malicious .vc6 file through phishing email, file-sharing services, a compromised website, or a CAD asset repository. When the target opens the file in Ashlar-Vellum Graphite, the parser triggers the out-of-bounds write and the attacker gains code execution. See the Zero Day Initiative Advisory ZDI-25-631 for additional technical context.

Detection Methods for CVE-2025-7980

Indicators of Compromise

  • Unexpected crashes or termination of the Graphite process (Graphite.exe) while opening VC6 files
  • VC6 files arriving by email or download from untrusted external sources
  • Child processes spawned by Graphite that are not part of normal CAD workflows, such as command shells or scripting engines
  • Outbound network connections from the Graphite process immediately after opening a file

Detection Strategies

  • Monitor process creation events where Graphite.exe is the parent of cmd.exe, powershell.exe, rundll32.exe, or other living-off-the-land binaries
  • Inspect file write and module load events inside the Graphite process for unsigned DLLs or shellcode-like memory regions
  • Hunt for VC6 files originating from external email gateways, browser downloads, or removable media that are then opened on engineering workstations

Monitoring Recommendations

  • Centralize endpoint telemetry from CAD workstations and alert on Graphite process anomalies
  • Track Windows Error Reporting events and application crashes associated with Graphite.exe
  • Correlate VC6 file delivery events from email and web proxies with subsequent execution on endpoints

How to Mitigate CVE-2025-7980

Immediate Actions Required

  • Inventory all systems running Ashlar-Vellum Graphite 13.0.48 and prioritize remediation on engineering workstations
  • Restrict opening of VC6 files received from external or untrusted sources until a vendor patch is applied
  • Apply application control policies that block execution of unauthorized child processes from Graphite.exe
  • Provide targeted user awareness for CAD operators on phishing campaigns delivering malicious design files

Patch Information

No vendor patch URL is published in the CVE record at this time. Refer to the Zero Day Initiative Advisory ZDI-25-631 and the Ashlar-Vellum vendor support channel for fixed-version availability and update guidance.

Workarounds

  • Open VC6 files only from trusted internal sources and validated repositories
  • Use a sandboxed or isolated virtual machine for inspecting unverified CAD files
  • Block VC6 file attachments at the email gateway and web proxy where business workflows allow
  • Enforce least-privilege accounts on CAD workstations so successful exploitation does not yield administrative rights
bash
# Example: block VC6 attachments at an email gateway (illustrative rule)
rule block_vc6_attachments {
  if attachment.extension == "vc6" and sender.zone == "external" then
    action = quarantine
    notify  = soc@example.com
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.