CVE-2025-14405
📋 TL;DR
This vulnerability allows physically-present attackers to escalate privileges on PDFsam Enhanced installations by exploiting an insecure OpenSSL configuration file loading mechanism. Attackers can execute arbitrary code with SYSTEM privileges by mounting a malicious drive containing a crafted OpenSSL configuration file. Only users with physical access or ability to mount drives on affected systems are at risk.
💻 Affected Systems
- PDFsam Enhanced
📦 What is this software?
Enhanced by Pdfsam
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM compromise allowing complete control of the system, installation of persistent malware, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation to SYSTEM on individual workstations where an attacker has physical access or can mount malicious drives.
If Mitigated
No impact if proper access controls prevent unauthorized drive mounting and the system is patched.
🎯 Exploit Status
Requires physical access or ability to mount malicious drives. Exploit involves creating a malicious OpenSSL configuration file on a mounted drive.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references - check vendor advisory
Vendor Advisory: Not provided in references - check PDFsam Enhanced vendor site
Restart Required: Yes
Instructions:
1. Check PDFsam Enhanced vendor website for security advisory
2. Download and install the latest patched version
3. Restart the system to ensure changes take effect
4. Verify the fix by checking version and testing functionality
🔧 Temporary Workarounds
Restrict Drive Mounting
windowsPrevent unauthorized users from mounting external drives or network shares
Use Group Policy: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access > Set 'All Removable Storage classes: Deny all access' to Enabled
Remove Unnecessary OpenSSL Configuration
windowsRemove or secure OpenSSL configuration files from insecure locations
Check for OpenSSL configuration files in application directories and remove unnecessary ones
Set proper permissions on required configuration files
🧯 If You Can't Patch
- Restrict physical access to systems running PDFsam Enhanced
- Implement strict removable media policies and disable auto-run features
🔍 How to Verify
Check if Vulnerable:
Check PDFsam Enhanced version and compare with vendor's patched version list. Look for OpenSSL configuration files in insecure application directories.Check Version:
Check PDFsam Enhanced 'About' menu or installation directory for version informationVerify Fix Applied:
Verify installed version matches or exceeds patched version from vendor advisory. Test that OpenSSL configuration loading is restricted to secure locations.📡 Detection & Monitoring
Log Indicators:
- Unusual drive mounting events
- PDFsam Enhanced process spawning with elevated privileges
- OpenSSL configuration file access from unusual locations
Network Indicators:
- Unusual network drive connections preceding privilege escalation
SIEM Query:
EventID=4663 AND ObjectName LIKE '%openssl.cnf%' OR ProcessName='pdfsam-enhanced.exe' AND IntegrityLevel='System'