EUVD-2025-19161CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26734.
Analysis
CVE-2025-6659 is an out-of-bounds write vulnerability in PDF-XChange Editor's PRC file parser that allows remote code execution with high integrity and confidentiality impact (CVSS 7.8). The vulnerability affects PDF-XChange Editor users who open malicious PRC files or visit compromised websites, requiring user interaction but no special privileges. While the vulnerability demonstrates significant local exploitation potential, real-world risk depends on KEV/CISA status, EPSS probability data, and proof-of-concept availability, which would indicate active threat actor interest.
Technical Context
The vulnerability exists in PDF-XChange Editor's PRC (Print Run Codebook/proprietary raster format) file parsing engine. The root cause is CWE-787 (Out-of-bounds Write), stemming from insufficient validation of user-supplied data during PRC file deserialization. When parsing specially crafted PRC files, the parser fails to properly validate buffer boundaries, allowing an attacker to write data past the allocated heap or stack buffer. This memory corruption can overwrite adjacent structures, function pointers, or return addresses, enabling arbitrary code execution in the context of the PDF-XChange Editor process. The vulnerability was tracked internally as ZDI-CAN-26734 before public disclosure.
Affected Products
PDF-XChange Editor (specific version range requires vendor advisory; typically affects recent versions prior to patch release). Based on CVE structure, likely CPE: cpe:2.3:a:tracker-software:pdf-xchange-editor:*:*:*:*:*:*:*:*. The vulnerability requires the target application to parse a PRC file, limiting exposure to installations that support this format. Affected configurations include: (1) standalone PDF-XChange Editor installations with PRC format support enabled; (2) systems with PDF-XChange Editor as embedded component in document workflows; (3) users with file association for .prc files pointing to PDF-XChange Editor.
Remediation
Immediate remediation steps: (1) Identify patch version from Tracker Software vendor advisory (typically announced in security bulletins at tracker-software.com/support or similar); (2) Deploy patch to all affected PDF-XChange Editor installations via Software Center/WSUS if centrally managed, or direct end-user notification if standalone; (3) Interim mitigations pending patching: disable PRC file association with PDF-XChange Editor in Windows file type associations; remove .prc file extension handlers; configure file type blocking policies via Group Policy (block .prc via AppLocker or equivalent); educate users to not open unsolicited PRC files; monitor for suspicious file opens via EDR/SIEM. (4) Long-term: enforce application whitelisting, restrict PDF-XChange Editor usage via Application Control if not business-critical, or replace with alternatives if feasible. Vendor advisory and patch details require cross-reference to Tracker Software security notifications—recommend checking tracker-software.com/changelog or contacting vendor support for precise patched version numbers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today