CVE-2025-6661 – A use-after-free vulnerability in PDF-XChange E... (How to Fix)

Q: What is the severity of CVE-2025-6661?

CVE-2025-6661 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in PDF-XChange Editor allows remote attackers to execute arbitrary code when users open malicious PDF files or visit malicious web pages. This affects all users running vulnerable versions of the software, enabling complete system compromise through crafted documents.

📋 TL;DR

A use-after-free vulnerability in PDF-XChange Editor allows remote attackers to execute arbitrary code when users open malicious PDF files or visit malicious web pages. This affects all users running vulnerable versions of the software, enabling complete system compromise through crafted documents.

💻 Affected Systems

Products:

PDF-XChange Editor

Versions: Versions prior to the security patch

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions where PDF-XChange Editor is installed are affected. The vulnerability requires user interaction to trigger.

📦 What is this software?

Pdf Tools by Pdf Xchange

View all CVEs affecting Pdf Tools →

Pdf Xchange Editor by Pdf Xchange

View all CVEs affecting Pdf Xchange Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the PDF-XChange Editor process, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious actors distributing phishing emails with weaponized PDFs to execute malware, steal credentials, or establish persistence on victim systems.

🟢

If Mitigated

Limited impact with proper application sandboxing, restricted user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

User interaction required (opening malicious file). ZDI has published advisory ZDI-25-446. Exploit development is likely given the RCE nature and CVSS score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://www.pdf-xchange.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Visit PDF-XChange security bulletins page
2. Download and install the latest version
3. Restart system to ensure patch is fully applied

🔧 Temporary Workarounds

Disable App Objects

windows

Configure PDF-XChange Editor to disable App object functionality if not required

Application Control

windows

Use application whitelisting to prevent execution of unauthorized PDF files

🧯 If You Can't Patch

Implement strict email filtering to block PDF attachments from untrusted sources
Use sandboxed environments or virtual machines for opening untrusted PDF files

🔍 How to Verify

Check if Vulnerable:

Check Help → About in PDF-XChange Editor and compare version against vendor advisory

Check Version:

In PDF-XChange Editor: Help → About

Verify Fix Applied:

Verify installed version matches or exceeds the patched version listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from PDF-XChange Editor
Multiple crash reports from PDF-XChange Editor
Suspicious file access patterns after PDF opening

Network Indicators:

Outbound connections initiated by PDF-XChange Editor process
DNS requests to suspicious domains after PDF file opening

SIEM Query:

Process Creation where Parent Process contains 'PDFXEdit' AND Command Line contains unusual parameters

📊 Metadata

CVE ID: CVE-2025-6661

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.08% exploit probability (22.4th percentile)

Published: June 25, 2025

Last Updated: July 1, 2025

🔗 References

https://www.pdf-xchange.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-25-446/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6661, you might also want to check these: