Skip to main content
CVE Vulnerability Database

CVE-2025-7987: Ashlar Graphite RCE Vulnerability

CVE-2025-7987 is a remote code execution flaw in Ashlar-Vellum Graphite VC6 file parsing that allows attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-7987 Overview

CVE-2025-7987 is an out-of-bounds write vulnerability in Ashlar-Vellum Graphite, a computer-aided design (CAD) application. The flaw exists in the parser that handles VC6 files. Attackers can exploit this weakness to execute arbitrary code in the context of the current user.

Exploitation requires user interaction. The victim must open a crafted VC6 file or visit a page that delivers one. The Zero Day Initiative tracks this issue as ZDI-CAN-25756 and published advisory ZDI-25-641. The vulnerability maps to [CWE-787] (Out-of-bounds Write).

Critical Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running Ashlar-Vellum Graphite, enabling attacker persistence, data theft, and lateral movement on the affected workstation.

Affected Products

  • Ashlar-Vellum Graphite 13.0
  • Ashlar-Vellum Graphite installations that process VC6 files
  • Workstations running vulnerable Graphite versions on Windows

Discovery Timeline

  • 2025-09-17 - CVE-2025-7987 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7987

Vulnerability Analysis

The vulnerability resides in the VC6 file parser inside Ashlar-Vellum Graphite. The parser reads user-supplied structure fields from the file without validating whether the resulting write operations stay within the bounds of an allocated buffer. Attackers who control the file contents can steer the parser into writing past the end of that buffer.

An out-of-bounds write in a native desktop application typically corrupts adjacent heap metadata, function pointers, or virtual method tables. A crafted VC6 payload can shape the heap so that the overflow overwrites a controllable structure. The attacker then redirects execution to code embedded in the file.

Exploitation runs code in the process context of Graphite. On a typical Windows workstation, that context inherits the interactive user's privileges, which is often sufficient for credential theft, persistence, or staging further attacks.

Root Cause

The root cause is missing validation of user-supplied data during VC6 file parsing. The parser does not verify size or offset fields before writing decoded content into a heap-allocated buffer, which produces the out-of-bounds write condition described in [CWE-787].

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a malicious VC6 file through email, a shared drive, a web download, or an embedded link on a malicious page. When a user opens the file in Ashlar-Vellum Graphite, the vulnerable parser processes the attacker-controlled data and triggers the memory corruption.

Because CAD files are routinely exchanged between engineers, suppliers, and contractors, social engineering pretexts such as revised drawings or vendor part designs are plausible delivery mechanisms.

No verified public proof-of-concept code is available. Technical details are described in the Zero Day Initiative Advisory ZDI-25-641.

Detection Methods for CVE-2025-7987

Indicators of Compromise

  • Unexpected crashes or exception events generated by the Graphite process shortly after opening a VC6 file
  • VC6 files arriving from untrusted sources, especially through email attachments or external file-sharing links
  • Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by the Graphite executable
  • Outbound network connections initiated by the Graphite process to unfamiliar hosts after file open

Detection Strategies

  • Monitor process lineage for Graphite spawning script interpreters or living-off-the-land binaries
  • Alert on Graphite process crashes with access violation exception codes, which can indicate exploitation attempts
  • Inspect email gateways and web proxies for inbound VC6 attachments from unverified senders
  • Correlate file-open telemetry with subsequent suspicious process, file, or network activity

Monitoring Recommendations

  • Enable command-line and process-creation auditing on workstations that run Graphite
  • Log file writes to user-writable persistence locations such as Startup, Run registry keys, and scheduled tasks after CAD file activity
  • Retain endpoint telemetry for at least 90 days to support retrospective hunts once new indicators emerge
  • Track software inventory to identify all hosts running Graphite version 13.0

How to Mitigate CVE-2025-7987

Immediate Actions Required

  • Inventory all workstations running Ashlar-Vellum Graphite and identify version 13.0 installations
  • Restrict opening of VC6 files to trusted, verified sources until a vendor patch is applied
  • Apply application allowlisting to prevent Graphite from launching script interpreters or unsigned binaries
  • Educate CAD users on the risk of opening unsolicited VC6 files, including files received from known contacts

Patch Information

At the time of publication, no vendor advisory URL is listed in the NVD entry. Administrators should consult Ashlar-Vellum directly and monitor the Zero Day Initiative Advisory ZDI-25-641 for updated remediation guidance and fixed version information.

Workarounds

  • Block VC6 file attachments at the email gateway pending patch availability
  • Open untrusted CAD files only inside isolated virtual machines or sandboxed environments
  • Remove Graphite from systems where it is not actively required to reduce attack surface
  • Run Graphite under a standard user account with Windows Defender Exploit Protection mitigations enabled
bash
# Example: block VC6 attachments at an Exchange transport rule (PowerShell)
New-TransportRule -Name "Block VC6 Attachments" \
  -AttachmentExtensionMatchesWords "vc6" \
  -RejectMessageReasonText "VC6 attachments are blocked pending CVE-2025-7987 remediation."

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.