CVE-2026-25925
📋 TL;DR
PowerDocu versions before 2.4.0 contain a critical deserialization vulnerability where the application blindly trusts the $type property in JSON files within Flow or App packages. This allows attackers to instantiate arbitrary .NET objects and execute remote code. Users running PowerDocu versions prior to 2.4.0 are affected.
💻 Affected Systems
- PowerDocu
📦 What is this software?
Powerdocu by Modery
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution as the user running PowerDocu, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution with the privileges of the PowerDocu user, enabling file system access, credential harvesting, and persistence mechanisms.
If Mitigated
Limited impact if PowerDocu runs with minimal privileges and network access is restricted, though local code execution remains possible.
🎯 Exploit Status
Exploitation requires the attacker to craft a malicious JSON file with a malicious $type property and have it processed by PowerDocu. No authentication bypass is needed beyond file access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0
Vendor Advisory: https://github.com/modery/PowerDocu/security/advisories/GHSA-m8j2-5jr7-2jpw
Restart Required: Yes
Instructions:
1. Download PowerDocu version 2.4.0 or later from the official GitHub releases page. 2. Uninstall the previous version. 3. Install the new version. 4. Restart the system to ensure all processes use the updated version.
🔧 Temporary Workarounds
Restrict JSON file sources
windowsOnly allow PowerDocu to process JSON files from trusted, verified sources. Implement strict access controls on directories containing Flow or App packages.
Run with minimal privileges
windowsConfigure PowerDocu to run with a non-administrative, low-privilege user account to limit the impact of successful exploitation.
🧯 If You Can't Patch
- Discontinue use of PowerDocu for processing untrusted JSON files until patched.
- Isolate PowerDocu installations on segmented networks with strict egress filtering.
🔍 How to Verify
Check if Vulnerable:
Check the PowerDocu version by running the application and viewing the version in the GUI or checking the executable properties. Versions below 2.4.0 are vulnerable.Check Version:
PowerDocu.exe --version (if supported) or check file properties in Windows Explorer.Verify Fix Applied:
After updating, confirm the version is 2.4.0 or higher using the same method. Test with a known safe JSON file to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from PowerDocu.exe
- Errors or crashes in PowerDocu logs related to JSON parsing or deserialization
Network Indicators:
- Unexpected outbound connections from PowerDocu.exe to external IPs
SIEM Query:
Process Creation where Image contains 'PowerDocu.exe' and CommandLine contains unusual arguments or file paths