CVE-2026-25961
Published: 09 February 2026
Summary
CVE-2026-25961 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Sumatrapdfreader Sumatrapdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-17 (Public Key Infrastructure Certificates).
Deeper analysis
CVE-2026-25961 affects SumatraPDF, a multi-format reader for Windows, specifically versions 3.5.0 through 3.5.2. The vulnerability lies in the application's update mechanism, which disables TLS hostname verification by using the INTERNET_FLAG_IGNORE_CERT_CN_INVALID flag and executes downloaded installers without performing signature checks. This issue, published on 2026-02-09, is associated with CWE-295 (Improper Certificate Validation) and CWE-494 (Download of Code Without Integrity Check), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H).
A network-based attacker positioned to perform a man-in-the-middle interception can exploit this vulnerability if they possess any valid TLS certificate, such as one issued by Let's Encrypt. By intercepting the update check request from a victim user, the attacker can inject a malicious installer URL. If the user interacts with the update process (UI:R), the application will download and execute the malicious installer, resulting in arbitrary code execution on the victim's Windows system with the user's privileges.
Mitigation details and patches are outlined in the official GitHub security advisory at https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6869
Vulnerability details
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update…
more
check request, inject a malicious installer URL, and achieve arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in update mechanism (disabled TLS hostname verification + missing installer signature checks) directly enables MITM attacker to deliver and trigger execution of arbitrary code via malicious update payload.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic signatures or integrity verification for software components prior to installation or execution, directly preventing the running of malicious unsigned installers from compromised updates.
Enforces integrity verification of software and firmware to detect unauthorized modifications, mitigating execution of tampered installers downloaded via the vulnerable update mechanism.
Establishes certificate validation requirements for PKI, preventing man-in-the-middle attacks that exploit disabled TLS hostname verification during update checks.