CVE-2025-66769

High

Published: 13 April 2026

Published

13 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0000 0.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66769 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Gonitro Nitro Pdf Pro. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the NULL pointer dereference in Nitro PDF Pro, directly eliminating the vulnerability exploited by crafted XFA packets.

SI-11 Error Handling good match

prevent

Error handling ensures the application gracefully manages NULL pointer dereferences and malformed XFA inputs without crashing and causing DoS.

SI-10 Information Input Validation partial match

prevent

Information input validation scrutinizes XFA packets for malformed content that could trigger the NULL pointer dereference leading to DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

NULL dereference in PDF XFA processing directly enables remote application crash for DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.

Deeper analysisAI

CVE-2025-66769 is a NULL pointer dereference vulnerability (CWE-476) in Nitro PDF Pro for Windows version 14.41.1.4. The issue enables attackers to trigger a Denial of Service (DoS) by processing a crafted XFA packet. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity from its network vector, low complexity, no privilege or user interaction requirements, and significant availability impact without affecting confidentiality or integrity.

Remote attackers can exploit this vulnerability without authentication by delivering a malicious XFA packet to a victim using the affected software, such as via email attachments, web downloads, or shared files. Exploitation reliably crashes the Nitro PDF Pro application, denying service to the user until restart, though it does not enable code execution or data compromise.

Mitigation guidance is available in the Jeroscope advisory at https://jeroscope.com/advisories/2025/jero-2025-015/ and on the vendor site at https://www.gonitro.com/. Security practitioners should consult these for patching instructions and workarounds.

Details

CWE(s): CWE-476

Affected Products

gonitro

nitro pdf pro

14.41.1.4

CVEs Like This One

CVE-2025-69624Same product: Gonitro Nitro Pdf Pro

CVE-2025-69627Same product: Gonitro Nitro Pdf Pro

CVE-2026-20875Same vendor: Microsoft

CVE-2026-32071Same vendor: Microsoft

CVE-2025-21285Same vendor: Microsoft

CVE-2026-21525Same vendor: Microsoft

CVE-2026-21243Same vendor: Microsoft

CVE-2025-69260Same product: Microsoft Windows

CVE-2026-33282Shared CWE-476

CVE-2025-0430Shared CWE-476

References

https://jeroscope.com/advisories/2025/jero-2025-015/
Third Party Advisory · cve@mitre.org
https://www.gonitro.com/
Product · cve@mitre.org