CVE-2021-25830 – CVE-2021-25830 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-25830?

CVE-2021-25830 has a CVSS score of 9.8 (CRITICAL). CVE-2021-25830 is a critical remote code execution vulnerability in ONLYOFFICE DocumentServer. Attackers can exploit improper file extension handling during DOCT to DOCX conversion to execute arbitrary code on affected servers. Organizations running vulnerable versions of ONLYOFFICE DocumentServer are at risk.

📋 TL;DR

CVE-2021-25830 is a critical remote code execution vulnerability in ONLYOFFICE DocumentServer. Attackers can exploit improper file extension handling during DOCT to DOCX conversion to execute arbitrary code on affected servers. Organizations running vulnerable versions of ONLYOFFICE DocumentServer are at risk.

💻 Affected Systems

Products:

ONLYOFFICE DocumentServer

Versions: v4.2.0.236 through v5.6.4.13

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable by default. The vulnerability is in the core module used by DocumentServer.

📦 What is this software?

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code with DocumentServer privileges, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to document server compromise, data exfiltration, and potential access to connected systems.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges, potentially only affecting the DocumentServer instance.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires chaining multiple bugs but has been publicly documented. Attackers need to trigger file conversion functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.6.4.14 and later

Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/releases

Restart Required: Yes

Instructions:

1. Backup your DocumentServer configuration and data. 2. Update ONLYOFFICE DocumentServer to version 5.6.4.14 or later. 3. Restart the DocumentServer service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable DOCT file conversion

all

Temporarily disable conversion of DOCT files to DOCX format to block the attack vector.

# Modify DocumentServer configuration to restrict DOCT file processing
# Configuration changes depend on your specific deployment

Network segmentation

linux

Isolate DocumentServer from critical systems and restrict external access.

# Use firewall rules to limit DocumentServer access
iptables -A INPUT -p tcp --dport 80 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT

🧯 If You Can't Patch

Implement strict network access controls to limit DocumentServer exposure
Monitor for suspicious file conversion requests and unusual process execution

🔍 How to Verify

Check if Vulnerable:

Check the DocumentServer version. If it's between v4.2.0.236 and v5.6.4.13 inclusive, it's vulnerable.

Check Version:

docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/VERSION 2>/dev/null || grep -i version /var/www/onlyoffice/documentserver/VERSION 2>/dev/null

Verify Fix Applied:

Confirm DocumentServer version is 5.6.4.14 or later and test that DOCT to DOCX conversion still works for legitimate files.

📡 Detection & Monitoring

Log Indicators:

Unusual DOCT file conversion requests
Suspicious process execution from DocumentServer context
Error logs related to file parsing failures

Network Indicators:

HTTP POST requests to conversion endpoints with DOCT files
Outbound connections from DocumentServer to unexpected destinations

SIEM Query:

source="onlyoffice" AND (url="*/converter*" OR process="*python*" OR process="*bash*")

📊 Metadata

CVE ID: CVE-2021-25830

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: March 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918 Third Party Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241 Third Party Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343 Third Party Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830 Exploit,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918 Third Party Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241 Third Party Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343 Third Party Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON