CVE-2025-64486 is a critical security vulnerability identified in the calibre e-book management software, specifically affecting versions 8.13.0 and earlier. The root cause is improper validation of filenames when calibre processes binary assets embedded within FictionBook (FB2) files. This lack of validation allows an attacker to craft a malicious FB2 file containing specially named binary assets that, when opened or converted by calibre, can cause arbitrary files to be written to arbitrary locations on the victim's filesystem. This external control of file name or path (CWE-73) can be leveraged to execute arbitrary code with the privileges of the user running calibre. The vulnerability does not require authentication but does require user interaction, such as opening or converting the malicious FB2 file. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). Although no known exploits have been reported in the wild, the severity and ease of exploitation make it a critical threat. The issue was publicly disclosed on November 7, 2025, and fixed in calibre version 8.14.0. Calibre is widely used for managing e-books, including in academic, publishing, and personal environments, making this vulnerability relevant for users who handle FB2 files.

For European organizations, this vulnerability poses a significant risk especially in sectors where e-books and digital document management are common, such as education, publishing, libraries, and research institutions. An attacker could exploit this flaw to execute arbitrary code on systems running vulnerable calibre versions, potentially leading to data theft, system compromise, or lateral movement within networks. The ability to write arbitrary files could also be used to implant persistent malware or ransomware. Given calibre's cross-platform usage, both Windows and Linux systems could be affected. The impact extends to confidentiality, integrity, and availability of affected systems. Organizations that allow users to open or convert FB2 files without strict controls are particularly vulnerable. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge following public disclosure.

European organizations should immediately update all calibre installations to version 8.14.0 or later to remediate this vulnerability. Until updates can be applied, organizations should implement strict controls on the handling of FB2 files, including blocking or sandboxing untrusted FB2 files and restricting user permissions to prevent arbitrary file writes. Employ endpoint protection solutions capable of detecting suspicious file system activity related to calibre processes. Educate users about the risks of opening FB2 files from untrusted sources. Network segmentation can limit the impact of a compromised host. Additionally, monitoring logs for unusual file creation or modification events related to calibre can help detect exploitation attempts. Organizations should also review and harden file system permissions to minimize the potential damage from arbitrary file writes.