CVE-2025-0412
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot Viewer installations by tricking users into opening malicious KSP files. Attackers can gain control of the affected system with the same privileges as the current user. All users of vulnerable KeyShot Viewer versions are affected.
💻 Affected Systems
- Luxion KeyShot Viewer
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, malware installation, or persistence mechanisms being established on the compromised system.
If Mitigated
Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented, though data loss is still possible.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://download.keyshot.com/cert/lsa-960930/lsa-960930.pdf?version=1.0
Restart Required: No
Instructions:
1. Visit the Luxion KeyShot website
2. Download the latest version of KeyShot Viewer
3. Install the update following vendor instructions
4. Verify installation by checking version number
🔧 Temporary Workarounds
Block KSP file extensions
allPrevent execution of KSP files at the email gateway or endpoint protection level
User awareness training
allEducate users not to open KSP files from untrusted sources
🧯 If You Can't Patch
- Disable KeyShot Viewer entirely and use alternative software
- Implement application whitelisting to prevent unauthorized execution of KeyShot Viewer
🔍 How to Verify
Check if Vulnerable:
Check KeyShot Viewer version against vendor advisory. If using version prior to patched release, system is vulnerable.Check Version:
Open KeyShot Viewer and check 'About' menu or Help > AboutVerify Fix Applied:
Verify KeyShot Viewer version matches or exceeds the patched version specified in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from KeyShot Viewer
- Memory access violations in application logs
- Failed file parsing attempts
Network Indicators:
- Outbound connections from KeyShot Viewer to unknown IPs
- Unusual network traffic patterns following KSP file opening
SIEM Query:
process_name:"KeyShot Viewer" AND (event_type:"process_creation" OR event_type:"memory_access_violation")