CVE-2025-0909
Published: 11 February 2025
Summary
CVE-2025-0909 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Pdf-Xchange Pdf-Xchange Editor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws, directly addressing this known out-of-bounds read vulnerability in PDF-XChange Editor via patching as recommended in the ZDI advisory.
SI-10 mandates validation of user-supplied inputs, directly mitigating the lack of proper validation in XPS file parsing that causes the out-of-bounds read.
SI-16 enforces memory protection mechanisms that prevent exploitation of out-of-bounds reads, such as those in the XPS parsing flaw leading to information disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in XPS parsing enables info disclosure and chained code exec via malicious file/web page requiring user interaction.
NVD Description
PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a…
more
malicious page or open a malicious file. The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-25678.
Deeper analysisAI
CVE-2025-0909 is an out-of-bounds read information disclosure vulnerability in the XPS file parsing component of PDF-XChange Editor. The flaw arises from a lack of proper validation of user-supplied data, resulting in a read past the end of an allocated object. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-125.
Remote attackers can exploit this vulnerability by inducing a target user to visit a malicious web page or open a malicious XPS file using PDF-XChange Editor. Exploitation requires user interaction but enables disclosure of sensitive information on affected installations. Attackers can leverage this issue in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.
Details on the vulnerability, including mitigation recommendations and patch information, are provided in the Zero Day Initiative advisory ZDI-25-064, available at https://www.zerodayinitiative.com/advisories/ZDI-25-064/. Security practitioners should review this advisory for guidance on addressing the issue.
Details
- CWE(s)