Login Sign Up

CVE-2025-7222

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious 3DM files or visiting malicious web pages. The flaw exists in how KeyShot processes 3DM files, enabling buffer overflow attacks that can lead to full system compromise. All users of affected KeyShot versions are at risk.

💻 Affected Systems

Products:
  • Luxion KeyShot
Versions: Specific versions not detailed in advisory - check vendor advisory for exact affected versions
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious file).

📦 What is this software?

Keyshot by Luxion

View all CVEs affecting Keyshot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining the same privileges as the KeyShot user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation or data exfiltration through spear-phishing campaigns targeting designers and engineers who regularly exchange 3DM files.

🟢

If Mitigated

Limited impact if user runs with minimal privileges and security controls prevent execution of malicious payloads.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction but uses common buffer overflow techniques. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: http://www.keyshot.com/csirt

Restart Required: Yes

Instructions:

1. Visit http://www.keyshot.com/csirt for official advisory
2. Download and install the latest KeyShot update
3. Restart the application and verify update

🔧 Temporary Workarounds

Restrict 3DM file handling

all

Configure system to open 3DM files with alternative applications or in sandboxed environments

User awareness training

all

Train users to only open 3DM files from trusted sources

🧯 If You Can't Patch

  • Run KeyShot with minimal user privileges to limit impact of successful exploitation
  • Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version against vendor advisory at http://www.keyshot.com/csirt

Check Version:

Check Help > About in KeyShot application or consult application documentation

Verify Fix Applied:

Verify KeyShot version is updated to patched version specified in vendor advisory

📡 Detection & Monitoring

Log Indicators:

  • KeyShot crash logs with memory access violations
  • Unexpected child processes spawned from KeyShot

Network Indicators:

  • Unexpected outbound connections from KeyShot process

SIEM Query:

Process creation where parent process contains 'keyshot' AND (command line contains suspicious patterns OR destination IP is malicious)

📊 Metadata

CVE ID: CVE-2025-7222
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.08% exploit probability (22.4th percentile)
Published: July 21, 2025
Last Updated: August 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7222, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)