CVE-2025-1047
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious PVS files. Attackers can gain control of the affected system through uninitialized pointer access during file parsing. All users of vulnerable KeyShot versions are affected.
💻 Affected Systems
- Luxion KeyShot
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the workstation, enabling data theft, lateral movement, and persistence.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or ransomware deployment on the affected system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the current user session.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is documented by ZDI, suggesting potential for weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://download.keyshot.com/cert/ksa-113962/ksa-113962.pdf
Restart Required: Yes
Instructions:
1. Download latest KeyShot version from official vendor site
2. Install update following vendor instructions
3. Restart system to ensure patch is fully applied
🔧 Temporary Workarounds
Restrict PVS file handling
allBlock or restrict opening of .pvs files through application controls or group policy
Application sandboxing
allRun KeyShot in restricted/sandboxed environment to limit potential damage
🧯 If You Can't Patch
- Implement strict file handling policies to prevent opening untrusted PVS files
- Isolate KeyShot workstations from critical network segments and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check KeyShot version against vendor advisory; if using affected version and can open PVS files, system is vulnerableCheck Version:
Launch KeyShot and check 'Help > About' menu for version informationVerify Fix Applied:
Verify KeyShot version is updated to patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from KeyShot executable
- Memory access violations or crashes in KeyShot process logs
- Unexpected network connections from KeyShot process
Network Indicators:
- Outbound connections from KeyShot to unexpected destinations
- DNS requests for suspicious domains following KeyShot execution
SIEM Query:
Process Creation where Parent Process contains 'KeyShot' AND (Command Line contains '.pvs' OR Image contains suspicious patterns)