CVE-2025-14404: CWE-356: Product UI does not Warn User of Unsafe Actions in PDFsam Enhanced
PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498.
AI Analysis
Technical Summary
CVE-2025-14404 is a vulnerability classified under CWE-356, indicating insufficient user interface warnings for unsafe actions in PDFsam Enhanced, specifically version 7.0.76.15222. The vulnerability is triggered during the processing of XLS files, where the application executes embedded scripts without adequately warning the user about the potential risks. This lack of UI warning allows attackers to craft malicious XLS files that, when opened by a user, execute arbitrary code in the context of the current user. The attack vector requires user interaction, such as opening a malicious file or visiting a malicious webpage that triggers the file processing. The CVSS v3.0 score of 7.0 reflects a high severity, with attack vector local (AV:L), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the potential for remote code execution and the broad impact on system security. The vulnerability was reserved and published in December 2025, with the original discovery credited to the Zero Day Initiative (ZDI) under ZDI-CAN-27498. No patches or updates have been linked yet, indicating that affected users must rely on mitigation until an official fix is released.
Potential Impact
For European organizations, this vulnerability presents a substantial risk, especially for those relying on PDFsam Enhanced for document management and processing. Exploitation could lead to unauthorized code execution, resulting in data breaches, system compromise, or ransomware deployment. The high impact on confidentiality, integrity, and availability means sensitive corporate or personal data could be exposed or altered, disrupting business operations. Given the requirement for user interaction, phishing campaigns or malicious document distribution could be effective attack vectors. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and potential legal consequences if exploited. The absence of known exploits currently provides a window for proactive defense, but the presence of a high-severity vulnerability necessitates urgent attention to prevent future attacks.
Mitigation Recommendations
European organizations should immediately audit their environments to identify installations of PDFsam Enhanced version 7.0.76.15222 and restrict usage until a patch is available. Implement strict email and web filtering to block or quarantine XLS files from untrusted sources. Educate users about the risks of opening unsolicited or suspicious XLS files and encourage verification before interacting with such documents. Employ application whitelisting to prevent unauthorized execution of scripts embedded in documents. Utilize endpoint detection and response (EDR) solutions to monitor for anomalous behaviors indicative of exploitation attempts. Network segmentation can limit the lateral movement if a compromise occurs. Regularly check for vendor updates or patches and apply them promptly once released. Consider disabling or restricting the processing of XLS files within PDFsam Enhanced if feasible. Finally, maintain up-to-date backups to enable recovery in case of successful exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-14404: CWE-356: Product UI does not Warn User of Unsafe Actions in PDFsam Enhanced
Description
PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498.
AI-Powered Analysis
Technical Analysis
CVE-2025-14404 is a vulnerability classified under CWE-356, indicating insufficient user interface warnings for unsafe actions in PDFsam Enhanced, specifically version 7.0.76.15222. The vulnerability is triggered during the processing of XLS files, where the application executes embedded scripts without adequately warning the user about the potential risks. This lack of UI warning allows attackers to craft malicious XLS files that, when opened by a user, execute arbitrary code in the context of the current user. The attack vector requires user interaction, such as opening a malicious file or visiting a malicious webpage that triggers the file processing. The CVSS v3.0 score of 7.0 reflects a high severity, with attack vector local (AV:L), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the potential for remote code execution and the broad impact on system security. The vulnerability was reserved and published in December 2025, with the original discovery credited to the Zero Day Initiative (ZDI) under ZDI-CAN-27498. No patches or updates have been linked yet, indicating that affected users must rely on mitigation until an official fix is released.
Potential Impact
For European organizations, this vulnerability presents a substantial risk, especially for those relying on PDFsam Enhanced for document management and processing. Exploitation could lead to unauthorized code execution, resulting in data breaches, system compromise, or ransomware deployment. The high impact on confidentiality, integrity, and availability means sensitive corporate or personal data could be exposed or altered, disrupting business operations. Given the requirement for user interaction, phishing campaigns or malicious document distribution could be effective attack vectors. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and potential legal consequences if exploited. The absence of known exploits currently provides a window for proactive defense, but the presence of a high-severity vulnerability necessitates urgent attention to prevent future attacks.
Mitigation Recommendations
European organizations should immediately audit their environments to identify installations of PDFsam Enhanced version 7.0.76.15222 and restrict usage until a patch is available. Implement strict email and web filtering to block or quarantine XLS files from untrusted sources. Educate users about the risks of opening unsolicited or suspicious XLS files and encourage verification before interacting with such documents. Employ application whitelisting to prevent unauthorized execution of scripts embedded in documents. Utilize endpoint detection and response (EDR) solutions to monitor for anomalous behaviors indicative of exploitation attempts. Network segmentation can limit the lateral movement if a compromise occurs. Regularly check for vendor updates or patches and apply them promptly once released. Consider disabling or restricting the processing of XLS files within PDFsam Enhanced if feasible. Finally, maintain up-to-date backups to enable recovery in case of successful exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zdi
- Date Reserved
- 2025-12-10T01:37:20.278Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 694b0a12d69af40f312b7da2
Added to database: 12/23/2025, 9:30:58 PM
Last enriched: 12/30/2025, 11:57:21 PM
Last updated: 2/6/2026, 6:19:52 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-0598: Unverified Ownership in Red Hat Red Hat Ansible Automation Platform 2
MediumCVE-2026-1991: NULL Pointer Dereference in libuvc
MediumCVE-2026-1990: NULL Pointer Dereference in oatpp
MediumCVE-2026-1979: Use After Free in mruby
MediumCVE-2026-1978: Direct Request in kalyan02 NanoCMS
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.