CVE-2020-27250
📋 TL;DR
This is a heap-based buffer overflow vulnerability in SoftMaker Office PlanMaker 2021 that allows remote code execution when a user opens a specially crafted document. Attackers can exploit this to execute arbitrary code with the privileges of the user opening the document. All users of the affected software version are vulnerable.
💻 Affected Systems
- SoftMaker Office PlanMaker 2021
📦 What is this software?
Planmaker 2021 by Softmaker
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Arbitrary code execution with user privileges, enabling data exfiltration, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious document). Technical details and proof-of-concept are publicly available in the Talos Intelligence report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Revision 1015 or later
Vendor Advisory: https://www.softmaker.com/en/security-advisory
Restart Required: Yes
Instructions:
1. Open SoftMaker Office. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation completes.
🔧 Temporary Workarounds
Disable PlanMaker file associations
allPrevent automatic opening of .pmd/.pmdx files with PlanMaker
Windows: Use 'Default Programs' settings to change file associations
Linux/macOS: Remove .pmd/.pmdx file associations from desktop environment
Application sandboxing
allRun PlanMaker in restricted environment
Windows: Use AppLocker or Windows Sandbox
Linux: Use Firejail or SELinux sandboxing
macOS: Use Apple Sandbox
🧯 If You Can't Patch
- Implement strict email filtering to block suspicious Office documents
- Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check PlanMaker version: Open PlanMaker > Help > About. If version shows Revision 1014, system is vulnerable.Check Version:
Windows: wmic product where name="SoftMaker Office PlanMaker 2021" get version
Linux: dpkg -l | grep softmaker-office-planmaker
macOS: pkgutil --pkg-info com.softmaker.office2021Verify Fix Applied:
Verify version shows Revision 1015 or higher in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from PlanMaker.exe
- Memory access violations in application logs
- Crash reports from PlanMaker
Network Indicators:
- Unexpected outbound connections from PlanMaker process
- DNS requests to suspicious domains after document opening
SIEM Query:
process_name:"PlanMaker.exe" AND (event_id:4688 OR process_cmdline:*powershell* OR process_cmdline:*cmd.exe*)