CVE-2025-7986 Overview
CVE-2025-7986 is an out-of-bounds write vulnerability [CWE-787] in Ashlar-Vellum Graphite, a computer-aided design (CAD) application. The flaw exists in the parser that handles VC6 files. Improper validation of user-supplied data allows an attacker to write past the end of an allocated buffer. Successful exploitation results in arbitrary code execution in the context of the current process.
Exploitation requires user interaction. The target must open a malicious VC6 file or visit a page that delivers one. The issue was reported through Trend Micro's Zero Day Initiative and tracked as ZDI-CAN-25755.
Critical Impact
Attackers can achieve arbitrary code execution on workstations running Ashlar Graphite by delivering a crafted VC6 file to a user.
Affected Products
- Ashlar-Vellum Graphite 13.0
- Vendor: Ashlar-Vellum
- Component: ashlar:graphite VC6 file parser
Discovery Timeline
- 2025-09-17 - CVE-2025-7986 published to NVD
- 2026-06-17 - Last updated in NVD database
- Reference - Zero Day Initiative Advisory ZDI-25-639
Technical Details for CVE-2025-7986
Vulnerability Analysis
The vulnerability resides in the VC6 file parsing logic within Ashlar Graphite. When the parser processes attacker-controlled fields in a VC6 document, it fails to verify that the data fits within the destination buffer. The parser then writes beyond the allocated bounds, corrupting adjacent memory.
An out-of-bounds write [CWE-787] of this kind can overwrite heap metadata, function pointers, or other control structures. Attackers can shape the heap to gain reliable control over execution flow. The result is code execution in the security context of the user who opened the file.
The vulnerability carries an EPSS probability of 0.189%, indicating low observed exploitation activity. However, CAD files are routinely shared between engineering teams, contractors, and external partners, which broadens the realistic delivery surface.
Root Cause
The root cause is missing length validation on user-supplied data inside the VC6 parser. The parser trusts size or offset fields from the file without bounds checks against the destination buffer. This pattern is a recurring weakness in legacy binary file formats where parsing routines predate modern input validation practices.
Attack Vector
The attack vector is local and requires user interaction. An attacker crafts a malicious VC6 file and delivers it through email attachments, file shares, project collaboration platforms, or a web page hosting the file. When the victim opens the file in Ashlar Graphite, the malformed data triggers the out-of-bounds write and the attacker's payload executes.
No network privileges or prior authentication on the target system are required. The attacker only needs to convince the user to open the file.
No public proof-of-concept exploit code is available. Refer to the Zero Day Initiative advisory ZDI-25-639 for additional technical context.
Detection Methods for CVE-2025-7986
Indicators of Compromise
- VC6 files received from untrusted sources or arriving outside normal engineering workflows
- Unexpected child processes spawned by the Graphite executable (for example, cmd.exe, powershell.exe, or script interpreters)
- Crash events or Windows Error Reporting entries referencing the Graphite process after opening a CAD file
- Outbound network connections initiated by the Graphite process to non-vendor infrastructure
Detection Strategies
- Monitor process lineage for the Graphite executable and alert on any spawned shell, scripting, or LOLBin process
- Hunt for VC6 files written to user Downloads, email attachment cache directories, or temporary paths followed by Graphite execution
- Inspect endpoint telemetry for module loads or memory allocations consistent with shellcode staging within the Graphite process
Monitoring Recommendations
- Centralize endpoint process and file telemetry from workstations running CAD software for retrospective hunting
- Track Graphite version inventory across the fleet to identify unpatched hosts
- Alert on Graphite process crashes, which may indicate failed exploitation attempts
How to Mitigate CVE-2025-7986
Immediate Actions Required
- Inventory all systems running Ashlar Graphite 13.0 and prioritize them for patching
- Restrict opening of VC6 files to those originating from trusted internal sources
- Educate CAD users on the risk of opening unsolicited design files received via email or external links
- Apply application allowlisting to limit which processes Graphite can spawn
Patch Information
Review the Zero Day Initiative advisory ZDI-25-639 and the Ashlar-Vellum vendor portal for the latest fixed release. At the time of NVD publication, no vendor advisory URL was listed in the CVE record. Upgrade to a Graphite version released after the advisory date once available, and verify the build number matches the vendor's fix.
Workarounds
- Do not open VC6 files from untrusted or unverified sources
- Open suspect CAD files only inside an isolated virtual machine without network access or sensitive data
- Block inbound VC6 attachments at email and web gateways pending patch deployment
- Run Graphite under a standard user account to limit the impact of successful exploitation
# Example: block VC6 attachments at an email gateway (Postfix header_checks)
/^Content-(Disposition|Type).*name="?.*\.vc6"?/ REJECT VC6 attachments blocked pending CVE-2025-7986 remediation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

