Description
The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.
Scores
CVSS v4
9.5
EPSS
0.0009
EPSS Percentile
24.7%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-326
Status
published
Products (1)
Kingsoft/WPS Office
12.1.0.18276
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026