Cyber Resilience

CVE-2025-1047

High

Published: 23 April 2025

Published
23 April 2025
Modified
07 August 2025
KEV Added
Patch
CVSS Score v3 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1047 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Luxion Keyshot. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Luxion KeyShot contains an uninitialized pointer vulnerability (CWE-824) in its PVS file parser that permits remote code execution. The flaw occurs when the application accesses a pointer that has not been properly initialized during parsing of specially crafted PVS files, allowing an attacker to execute arbitrary code in the context of the KeyShot process. The issue was reported as ZDI-CAN-23694 and carries a CVSS 3.0 score of 7.8.

An attacker can exploit the vulnerability by convincing a target to open a malicious PVS file or visit a page that delivers such a file. Successful exploitation grants code execution without requiring authentication, although user interaction is mandatory. The attack vector is local with respect to the file system yet can be delivered remotely through standard user workflows.

The EPSS score rose from a low baseline to a peak of 0.0148 on 2026-05-25 before receding to the current value of 0.0038, indicating a measurable increase in exploitation interest after public disclosure. Advisories from Zero Day Initiative and Luxion are available at the referenced URLs, though specific patch or mitigation details are not provided in the source data.

EU & UK References

Vulnerability details

Luxion KeyShot PVS File Parsing Access of Uninitialized Pointer Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target…

more

must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pvs files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23694.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

luxion
keyshot
≤ 2025.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References