## https://sploitus.com/exploit?id=C9B0C3FA-D400-547F-9BF9-A7BA48DD4E92
# SumatraPDF Insecure Update PoC
**CVE-2026-25961** โ Remote Code Execution via Malicious Update Server
**Author:** Mohammed Idrees Banyamer
---
**Date:** February 2026
**CVE:** [CVE-2026-25961](https://nvd.nist.gov/vuln/detail/CVE-2026-25961)
**GHSA:** [GHSA-xpm2-rr5m-x96q](https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q)
**CVSS v3.1:** 7.5 High (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
**Affected versions:** SumatraPDF 3.5.0 โ 3.5.2
**Tested on:** Windows 10 / Windows 11
## Vulnerability
SumatraPDF versions 3.5.0 to 3.5.2 disable TLS hostname validation during the auto-update check and do not verify the digital signature or integrity of the downloaded installer.
A network-positioned attacker can:
- Intercept / spoof the request to `https://www.sumatrapdfreader.org/update-check-rel.txt`
- Return a forged response pointing to an attacker-controlled executable
- When the user clicks "Install", SumatraPDF executes the file via `CreateProcess`
Realistic attack vectors: rogue Wi-Fi, compromised home/office router, DNS hijacking, transparent proxy injection, etc.
## Features of this PoC
- Forges a realistic `update-check-rel.txt` response
- Hosts a malicious installer file
- Logs victim IP when payload is requested
- Simple Flask-based server (easy to deploy / modify)
## Requirements
```bash
pip install flask
```
## Usage
``` bash
# Example with msfvenom (optional)
msfvenom -p windows/x64/exec CMD=calc.exe -f exe > malicious_installer.exe
#Run the server:
python3 CVE-2026-25961_poc.py