CVE-2026-25880
📋 TL;DR
SumatraPDF versions 3.5.2 and earlier contain a vulnerability where clicking 'Show in folder' in the File menu executes explorer.exe from the same directory as the opened PDF file. This allows attackers to achieve arbitrary code execution by placing a malicious binary named explorer.exe alongside a PDF. All Windows users running vulnerable SumatraPDF versions are affected.
💻 Affected Systems
- SumatraPDF
📦 What is this software?
Sumatrapdf by Sumatrapdfreader
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with user privileges, enabling malware installation, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to malware execution, potentially resulting in ransomware deployment or credential harvesting.
If Mitigated
Limited impact with proper application whitelisting and user awareness training preventing exploitation.
🎯 Exploit Status
Exploitation requires user interaction (clicking 'Show in folder') but is trivial to weaponize with social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.3
Vendor Advisory: https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37
Restart Required: No
Instructions:
1. Download SumatraPDF 3.5.3 or later from official website. 2. Install the update. 3. Verify version in Help → About.
🔧 Temporary Workarounds
Disable 'Show in folder' feature
windowsRemove or disable the 'Show in folder' menu option through registry modification
Not applicable - requires manual UI modification or registry editing
Application control policy
windowsImplement application whitelisting to prevent execution of explorer.exe from non-standard locations
Configure Windows AppLocker or similar solution to restrict explorer.exe execution
🧯 If You Can't Patch
- Discontinue use of SumatraPDF and switch to alternative PDF readers
- Implement strict file integrity monitoring for explorer.exe in user directories
🔍 How to Verify
Check if Vulnerable:
Check SumatraPDF version in Help → About menu. If version is 3.5.2 or earlier, system is vulnerable.Check Version:
SumatraPDF.exe --version or check in Help → About menuVerify Fix Applied:
Verify version is 3.5.3 or later in Help → About menu.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing explorer.exe execution from unusual directories
- Process creation events for explorer.exe from PDF file locations
Network Indicators:
- Unusual outbound connections following PDF file opening
SIEM Query:
Process Creation where Image contains 'explorer.exe' and CurrentDirectory contains '.pdf'