CVE-2025-7983 Overview
CVE-2025-7983 is a heap-based buffer overflow [CWE-122] in Ashlar-Vellum Graphite that enables arbitrary code execution when a user opens a crafted VC6 file. The flaw resides in the VC6 file parser, which copies user-supplied data into a heap buffer without validating its length. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious page that delivers one. Successful exploitation runs attacker-controlled code in the context of the Graphite process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-25477 and disclosed in advisory ZDI-25-635.
Critical Impact
A malicious VC6 file can trigger a heap-based buffer overflow in Ashlar-Vellum Graphite and execute arbitrary code with the privileges of the user running the application.
Affected Products
- Ashlar-Vellum Graphite 13.0.48
- Ashlar-Vellum Graphite installations that parse VC6 files
- Workstations where users open externally sourced CAD files in Graphite
Discovery Timeline
- 2025-09-17 - CVE-2025-7983 published to the National Vulnerability Database
- 2026-06-17 - CVE-2025-7983 last modified in the NVD
- Reported to Ashlar-Vellum through the Zero Day Initiative as ZDI-CAN-25477
Technical Details for CVE-2025-7983
Vulnerability Analysis
The vulnerability resides in the code path that parses VC6 files inside Ashlar-Vellum Graphite. When Graphite loads a VC6 file, the parser reads length and data fields directly from the file structure. The parser copies attacker-controlled data into a fixed-size heap allocation without first verifying that the source length fits within the destination buffer. The resulting out-of-bounds write corrupts adjacent heap metadata and application objects.
An attacker who controls the layout of the corrupted heap region can overwrite function pointers, vtables, or other control data used later in the process. Because Graphite runs client-side without elevated privileges by default, code executes in the security context of the interactive user. This is a local attack vector — the malicious file must be delivered to the target and opened. Phishing, drive-by download, and shared project repositories are realistic delivery channels for CAD-focused workflows.
Root Cause
The root cause is missing bounds validation on user-supplied length values in the VC6 parser. The code trusts a size field embedded in the file and performs a copy into a heap buffer sized for expected content, producing a classic heap-based buffer overflow classified under [CWE-122].
Attack Vector
Exploitation requires an attacker to deliver a crafted VC6 file and convince the user to open it in Graphite. No network service is exposed; the CVSS vector describes a local attack requiring user interaction. Detailed exploitation mechanics are documented in ZDI-25-635.
// No verified public exploit code is available for CVE-2025-7983.
// Refer to ZDI-25-635 for the vendor-coordinated technical description.
Detection Methods for CVE-2025-7983
Indicators of Compromise
- Unexpected child processes spawned by the Graphite executable after a VC6 file is opened, such as cmd.exe, powershell.exe, or script interpreters
- Crashes of Graphite with heap corruption exceptions recorded in Windows Error Reporting or application event logs
- VC6 files arriving from untrusted email, chat, or shared drive sources shortly before anomalous endpoint activity
Detection Strategies
- Monitor process ancestry to flag any child process created by Graphite that is not part of normal CAD workflows
- Alert on heap corruption or access violation exceptions terminating the Graphite process, which can indicate exploitation attempts or unstable payloads
- Inspect VC6 files at email and web gateways for anomalous size fields or malformed structures relative to legitimate Ashlar-Vellum samples
Monitoring Recommendations
- Enable command-line and process creation auditing on workstations running Graphite and forward events to a central SIEM
- Track file writes to autorun, startup, and scheduled task locations initiated by the Graphite process
- Correlate opens of files with the .vc6 extension against subsequent network connections from the Graphite process
How to Mitigate CVE-2025-7983
Immediate Actions Required
- Restrict opening of VC6 files to those received through trusted, verified channels until a patched build is deployed
- Inventory all endpoints running Ashlar-Vellum Graphite 13.0.48 and prioritize them for update tracking
- Instruct Graphite users to treat unsolicited CAD files as suspicious and validate sender identity before opening
Patch Information
At the time of publication, refer to the vendor advisory referenced in ZDI-25-635 for updated Ashlar-Vellum Graphite builds addressing CVE-2025-7983. Apply the fixed version as soon as it is available from Ashlar-Vellum.
Workarounds
- Block inbound .vc6 attachments at email security gateways where the file type is not required for business operations
- Run Graphite under a standard user account without administrative privileges to limit post-exploitation impact
- Use application allowlisting to prevent Graphite from spawning shells, script interpreters, or LOLBins
# Example: block VC6 attachments in a mail transport rule (pseudocode)
if attachment.extension in [".vc6"] and sender.trusted == false:
quarantine(message)
notify(security_team)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

