Cyber Resilience

CVE-2026-25961

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25961 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Sumatrapdfreader Sumatrapdf. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2026-25961 affects SumatraPDF, a multi-format reader for Windows, specifically versions 3.5.0 through 3.5.2. The vulnerability lies in the application's update mechanism, which disables TLS hostname verification by using the INTERNET_FLAG_IGNORE_CERT_CN_INVALID flag and executes downloaded installers without performing signature checks. This issue, published on 2026-02-09, is associated with CWE-295 (Improper Certificate Validation) and CWE-494 (Download of Code Without Integrity Check), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H).

A network-based attacker positioned to perform a man-in-the-middle interception can exploit this vulnerability if they possess any valid TLS certificate, such as one issued by Let's Encrypt. By intercepting the update check request from a victim user, the attacker can inject a malicious installer URL. If the user interacts with the update process (UI:R), the application will download and execute the malicious installer, resulting in arbitrary code execution on the victim's Windows system with the user's privileges.

Mitigation details and patches are outlined in the official GitHub security advisory at https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q.

EU & UK References

Vulnerability details

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update…

more

check request, inject a malicious installer URL, and achieve arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability in update mechanism (disabled TLS hostname verification + missing installer signature checks) directly enables MITM attacker to deliver and trigger execution of arbitrary code via malicious update payload.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25880Same product: Sumatrapdfreader Sumatrapdf
CVE-2026-23512Same product: Sumatrapdfreader Sumatrapdf
CVE-2024-31854Shared CWE-295
CVE-2024-47258Shared CWE-295
CVE-2026-32627Shared CWE-295
CVE-2024-55581Shared CWE-295
CVE-2025-11043Shared CWE-295
CVE-2024-50691Shared CWE-295
CVE-2024-29171Shared CWE-295
CVE-2025-9293Shared CWE-295

Affected Assets

sumatrapdfreader
sumatrapdf
3.5 — 3.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic signatures or integrity verification for software components prior to installation or execution, directly preventing the running of malicious unsigned installers from compromised updates.

preventdetect

Enforces integrity verification of software and firmware to detect unauthorized modifications, mitigating execution of tampered installers downloaded via the vulnerable update mechanism.

prevent

Establishes certificate validation requirements for PKI, preventing man-in-the-middle attacks that exploit disabled TLS hostname verification during update checks.

References