Share
## https://sploitus.com/exploit?id=C9B0C3FA-D400-547F-9BF9-A7BA48DD4E92
# SumatraPDF Insecure Update PoC  
**CVE-2026-25961** โ€“ Remote Code Execution via Malicious Update Server

**Author:** Mohammed Idrees Banyamer

---

**Date:** February 2026  
**CVE:** [CVE-2026-25961](https://nvd.nist.gov/vuln/detail/CVE-2026-25961)  
**GHSA:** [GHSA-xpm2-rr5m-x96q](https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q)  
**CVSS v3.1:** 7.5 High (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)  
**Affected versions:** SumatraPDF 3.5.0 โ€“ 3.5.2  
**Tested on:** Windows 10 / Windows 11

## Vulnerability

SumatraPDF versions 3.5.0 to 3.5.2 disable TLS hostname validation during the auto-update check and do not verify the digital signature or integrity of the downloaded installer.

A network-positioned attacker can:

- Intercept / spoof the request to `https://www.sumatrapdfreader.org/update-check-rel.txt`
- Return a forged response pointing to an attacker-controlled executable
- When the user clicks "Install", SumatraPDF executes the file via `CreateProcess`

Realistic attack vectors: rogue Wi-Fi, compromised home/office router, DNS hijacking, transparent proxy injection, etc.


## Features of this PoC

- Forges a realistic `update-check-rel.txt` response
- Hosts a malicious installer file
- Logs victim IP when payload is requested
- Simple Flask-based server (easy to deploy / modify)

## Requirements

```bash
pip install flask
```
## Usage
``` bash
# Example with msfvenom (optional)
msfvenom -p windows/x64/exec CMD=calc.exe -f exe > malicious_installer.exe
#Run the server:
python3 CVE-2026-25961_poc.py