Login Sign Up

CVE-2025-66834

7.3 HIGH

📋 TL;DR

A CSV formula injection vulnerability in TrueConf Server v5.5.2.10813 allows authenticated users to embed malicious spreadsheet formulas in exported chat logs by manipulating their display name. When administrators export chat logs to CSV format and open them in spreadsheet applications like Excel, the formulas execute, potentially leading to data theft or system compromise. This affects organizations using TrueConf Server for video conferencing and chat.

💻 Affected Systems

Products:
  • TrueConf Server
Versions: v5.5.2.10813
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user authentication and administrator export of chat logs to CSV format.

📦 What is this software?

Server by Trueconf

View all CVEs affecting Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary commands on an administrator's computer when they open the malicious CSV file, leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Attackers could steal administrator credentials, session cookies, or sensitive data from the administrator's system through formula execution in Excel/Google Sheets.

🟢

If Mitigated

With proper security awareness training and CSV sanitization, the impact is limited to potential data corruption in exported logs.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access and administrator interaction with exported files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor TrueConf security advisories for updates.

🔧 Temporary Workarounds

CSV Sanitization Script

linux

Add a script to sanitize CSV exports by prefixing formula cells with apostrophe or removing special characters

sed -i "s/^[=+\-@]/'&/g" exported_file.csv

Excel Safe Mode

windows

Configure Excel to open CSV files in protected view or disable automatic formula execution

🧯 If You Can't Patch

  • Restrict user permissions to prevent display name changes containing special characters
  • Train administrators to never open exported CSV files directly in spreadsheet applications without validation

🔍 How to Verify

Check if Vulnerable:

Test by setting display name to '=HYPERLINK("http://malicious.com","Click")' and exporting chat logs to CSV

Check Version:

trueconf-server --version

Verify Fix Applied:

Verify exported CSV files have formula cells prefixed with apostrophe or special characters removed

📡 Detection & Monitoring

Log Indicators:

  • User profile updates with display names containing =, +, -, @, or TAB characters
  • CSV export operations with unusual file sizes

Network Indicators:

  • Outbound connections from administrator workstations after CSV file opens

SIEM Query:

source="trueconf" AND (event="user_update" AND display_name MATCHES "[=+\-@\t]") OR event="export_csv"

📊 Metadata

CVE ID: CVE-2025-66834
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-1236
EPSS Score: 0.04% exploit probability (10.9th percentile)
Published: December 30, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66834, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)