CVE-2026-25961
📋 TL;DR
This vulnerability allows network attackers to intercept SumatraPDF's update requests and deliver malicious installers due to disabled TLS hostname verification and missing signature checks. Attackers can achieve arbitrary code execution on affected systems. Users running SumatraPDF versions 3.5.0 through 3.5.2 on Windows are affected.
💻 Affected Systems
- SumatraPDF
📦 What is this software?
Sumatrapdf by Sumatrapdfreader
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the victim's computer, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malware installation leading to credential theft, cryptocurrency mining, or botnet enrollment when users attempt to update SumatraPDF.
If Mitigated
Attack fails due to network segmentation, proxy filtering, or user awareness preventing update checks on untrusted networks.
🎯 Exploit Status
Exploitation requires network position to intercept HTTP traffic; any valid TLS certificate works due to disabled hostname verification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.3 and later
Vendor Advisory: https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q
Restart Required: No
Instructions:
1. Download SumatraPDF 3.5.3 or later from official website. 2. Run installer to update existing installation. 3. Verify version in Help > About shows 3.5.3 or higher.
🔧 Temporary Workarounds
Disable automatic updates
windowsPrevent SumatraPDF from checking for updates by disabling the automatic update feature.
Settings > Advanced Options > Set 'CheckForUpdates' to false in SumatraPDF-settings.txt
Block update domains
allUse firewall or DNS filtering to block connections to SumatraPDF update servers.
Block *.kjkpub.net and *.sumatrapdfreader.org at firewall/DNS level
🧯 If You Can't Patch
- Disable SumatraPDF update feature completely via registry or configuration file.
- Use network segmentation to prevent SumatraPDF from accessing external update servers.
🔍 How to Verify
Check if Vulnerable:
Open SumatraPDF, go to Help > About. If version is between 3.5.0 and 3.5.2 inclusive, system is vulnerable.Check Version:
sumatrapdf.exe --versionVerify Fix Applied:
After updating, check Help > About shows version 3.5.3 or higher. Verify update mechanism now validates TLS certificates and installer signatures.📡 Detection & Monitoring
Log Indicators:
- Unusual network connections from SumatraPDF to non-official domains
- Failed certificate validation attempts in system logs
Network Indicators:
- HTTP traffic to update servers without TLS hostname validation
- Download of executables from unexpected sources by SumatraPDF process
SIEM Query:
process_name="SumatraPDF.exe" AND (destination_ip NOT IN [official_update_servers] OR network_protocol="http")