CVE-2020-25291 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2020-25291?

CVE-2020-25291 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to cause heap corruption in Kingsoft WPS Office by embedding a specially crafted PNG image with a malicious PLTE chunk in a Word document. The corruption occurs in the Qt library's graphics rendering component. Users of WPS Office versions before 11.2.0.9403 are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause heap corruption in Kingsoft WPS Office by embedding a specially crafted PNG image with a malicious PLTE chunk in a Word document. The corruption occurs in the Qt library's graphics rendering component. Users of WPS Office versions before 11.2.0.9403 are affected.

💻 Affected Systems

Products:

Kingsoft WPS Office

Versions: All versions before 11.2.0.9403

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the Qt 4.x library component used by WPS Office for graphics rendering.

📦 What is this software?

Wps Office by Kingsoft

View all CVEs affecting Wps Office →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for information disclosure.

🟢

If Mitigated

No impact if patched version is used or if documents from untrusted sources are blocked.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious document, but could be delivered via email or downloads.

🏢 Internal Only: MEDIUM - Similar risk internally if users open documents from untrusted internal sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires user to open a malicious Word document. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.0.9403 and later

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Open WPS Office. 2. Go to Help → Check for Updates. 3. Install update to version 11.2.0.9403 or later. 4. Restart WPS Office.

🔧 Temporary Workarounds

Disable PNG rendering in documents

all

Configure WPS Office to disable PNG image rendering (may break legitimate documents)

Use application control to block vulnerable versions

windows

Prevent execution of WPS Office versions below 11.2.0.9403

🧯 If You Can't Patch

Block Word documents from untrusted sources at email gateways and web proxies
Implement user training to avoid opening documents from unknown senders

🔍 How to Verify

Check if Vulnerable:

Check WPS Office version in Help → About WPS Office. If version is below 11.2.0.9403, system is vulnerable.

Check Version:

wps --version (Linux) or check Help → About (Windows/macOS)

Verify Fix Applied:

Confirm version is 11.2.0.9403 or higher in Help → About WPS Office.

📡 Detection & Monitoring

Log Indicators:

Application crashes of WPS Office with memory access violations
Unexpected termination of WPS Office processes

Network Indicators:

Downloads of Word documents with embedded PNG images from suspicious sources

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="wps.exe" AND ExceptionCode=0xC0000005

📊 Metadata

CVE ID: CVE-2020-25291

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: September 13, 2020

Last Updated: November 21, 2024

🔗 References

http://zeifan.my/security/rce/heap/2020/09/03/wps-rce-heap.html Exploit,Third Party Advisory
http://zeifan.my/security/rce/heap/2020/09/03/wps-rce-heap.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25291, you might also want to check these: