CVE-2025-64486 is a critical security vulnerability affecting the calibre e-book management software, specifically versions 8.13.0 and earlier. The flaw arises from calibre's failure to properly validate filenames when processing binary assets embedded within FB2 (FictionBook) files. An attacker can craft a malicious FB2 file containing specially crafted filenames that, when opened or converted by calibre, cause arbitrary files to be written to the victim's filesystem. This external control of file name or path (CWE-73) can be leveraged to execute arbitrary code with the privileges of the user running calibre. The vulnerability requires user interaction—opening or converting a malicious FB2 file—but does not require prior authentication or elevated privileges. The CVSS 4.0 score is 9.3 (critical), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. The issue was addressed in calibre version 8.14.0 by implementing proper filename validation and sanitization. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk due to calibre's widespread use in managing e-books across personal and organizational environments.

For European organizations, this vulnerability poses a significant risk especially to sectors relying heavily on digital publishing, libraries, educational institutions, and any environment where calibre is used to manage or convert e-books. Successful exploitation could lead to arbitrary code execution, enabling attackers to install malware, exfiltrate sensitive data, or disrupt operations by corrupting or deleting files. Given calibre often runs on user endpoints, exploitation could serve as an entry point for broader network compromise. The impact on confidentiality, integrity, and availability is high, potentially affecting intellectual property, user privacy, and operational continuity. Organizations with large user bases or those distributing FB2 files are at heightened risk. The lack of known exploits currently provides a window for proactive mitigation, but the critical severity demands urgent patching and monitoring.

European organizations should immediately upgrade all calibre installations to version 8.14.0 or later to remediate this vulnerability. Additionally, implement strict controls on the sources of FB2 files, including scanning and sandboxing incoming e-book files before allowing users to open or convert them. Employ endpoint protection solutions capable of detecting anomalous file writes or code execution attempts originating from calibre processes. Educate users about the risks of opening e-books from untrusted sources. For environments where immediate upgrade is not feasible, consider restricting calibre's filesystem permissions using OS-level controls or containerization to limit potential damage from exploitation. Regularly monitor logs for unusual activity related to calibre file operations. Finally, maintain an incident response plan tailored to potential endpoint compromise scenarios involving e-book management software.