CVE-2025-2516

CRITICAL

WPS Office >=12.1.0.18276 - Weak Cryptographic Key Pair in Signature Verification

Title source: llm

Description

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

References (1)

Core 1

Core References

Various Sources

https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

Scores

CVSS v4 9.5

EPSS 0.0011

EPSS Percentile 1.6%

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-326

Status published

Products (1)

Kingsoft/WPS Office 12.1.0.18276

Published Mar 27, 2025

Tracked Since Feb 18, 2026