CVE-2026-25961

HIGH

SumatraPDF 3.5.0-3.5.2 - Remote Code Execution via Update Mechanism TLS Hostname Verification Bypass

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-25961. PoCs published by banyamer, XiaomingX, mbanyamer.

AI-analyzed exploit summary This PoC demonstrates a remote code execution vulnerability in SumatraPDF by serving a malicious update server that exploits the lack of TLS hostname verification and installer signature validation.

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.

Exploits (3)

exploitdb WORKING POC

by banyamer · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52535

View Code ZIP pw:eip

This PoC demonstrates a remote code execution vulnerability in SumatraPDF by serving a malicious update server that exploits the lack of TLS hostname verification and installer signature validation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SumatraPDF 3.5.0 - 3.5.2

No auth needed

Prerequisites: MITM position · network traffic redirection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 05, 2026 Full analysis →

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25961

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-25961, demonstrating how an attacker can exploit SumatraPDF's insecure update mechanism by hosting a malicious update server. The PoC includes a Flask-based server that serves a forged update response and a dummy payload, simulating the RCE attack.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SumatraPDF 3.5.0 - 3.5.2

No auth needed

Prerequisites: Network adversary position (MITM/DNS control) · Victim interaction (clicking 'Install')

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-25961-SumatraPDF-3.5.0---3.5.2-RCE

View Code ZIP pw:eip

This PoC demonstrates a remote code execution vulnerability in SumatraPDF 3.5.0-3.5.2 by exploiting insecure update mechanisms. It hosts a malicious update server that serves a forged update response and a dummy payload, which would execute when the victim clicks 'Install'.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SumatraPDF 3.5.0 - 3.5.2

No auth needed

Prerequisites: Network adversary position (MITM, DNS control, or rogue access point) · Victim must initiate an update check in SumatraPDF

MITRE ATT&CK

T1189 - Drive-by Compromise T1553.005 - Mark-of-the-Web Bypass

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q

Scores

CVSS v3 7.5

EPSS 0.0044

EPSS Percentile 35.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295 CWE-494

Status published

Products (1)

sumatrapdfreader/sumatrapdf 3.5 - 3.5.2

Published Feb 09, 2026

Tracked Since Feb 18, 2026