Remote Code Execution Vulnerability in PDF-XChange Editor
CVE-2025-6645

7.8HIGH

Key Information:

Vendor: PDF-xchange
Status: PDF-xchange Editor
Vendor: CVE Published:; 25 June 2025

🔔 Create PDF-xchange Vulnerability Alert

What is CVE-2025-6645?

A use-after-free vulnerability exists in the PDF-XChange Editor's handling of U3D file formats, enabling remote attackers to execute arbitrary code. This occurs due to insufficient validation of object existence before processing. Exploitation necessitates user interaction, as the target must visit a compromised webpage or open a malicious U3D file. This flaw poses a significant security risk, allowing attackers to execute commands within the context of the current process.

Affected Version(s)

PDF-XChange Editor 10.5.2.395

References

https://www.zerodayinitiative.com/advisories/ZDI-25-430/

x_research-advisory

https://www.pdf-xchange.com/support/security-bulletins.html

vendor-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Jun 25, 2025