CVE-2026-25880 is a vulnerability classified under CWE-426 (Untrusted Search Path) affecting SumatraPDF, a popular multi-format PDF reader for Windows. In versions 3.5.2 and earlier, the application improperly handles the execution of the Windows explorer.exe binary when a user selects the File → “Show in folder” menu option. Instead of invoking the system’s trusted explorer.exe, SumatraPDF executes explorer.exe found in the same directory as the opened PDF file. An attacker can exploit this by placing a malicious explorer.exe executable alongside a crafted PDF file. When the victim opens the PDF and clicks the menu option, the malicious binary runs with the privileges of the current user without any warning or additional user interaction beyond the menu click. This leads to arbitrary code execution, potentially allowing attackers to compromise the system’s confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 base score of 7.8, reflecting high severity due to local attack vector, low attack complexity, no privileges required, but requiring user interaction. No patches or official fixes are currently linked, and no exploits have been observed in the wild, but the vulnerability’s nature suggests it could be weaponized in targeted attacks or malware campaigns.

For European organizations, the impact of CVE-2026-25880 can be significant, especially in environments where SumatraPDF is widely used for document handling on Windows endpoints. Successful exploitation can lead to arbitrary code execution, enabling attackers to install malware, steal sensitive data, or move laterally within networks. This compromises confidentiality by exposing sensitive documents and credentials, integrity by allowing unauthorized modifications, and availability by potentially deploying ransomware or destructive payloads. Given that the vulnerability requires only minimal user interaction (a menu click) and no elevated privileges, it lowers the barrier for attackers to compromise user systems. Organizations handling sensitive or regulated data (e.g., finance, healthcare, government) in Europe could face data breaches, compliance violations (GDPR), and operational disruptions. The threat is exacerbated in environments with weak endpoint protection or where users are not trained to recognize suspicious files or behaviors.

To mitigate CVE-2026-25880, European organizations should: 1) Immediately upgrade SumatraPDF to a version later than 3.5.2 once a patch is released. If no patch is available, consider temporarily discontinuing use or replacing SumatraPDF with alternative PDF readers that do not exhibit this vulnerability. 2) Implement application whitelisting and restrict execution of binaries from user-writable directories to prevent malicious explorer.exe execution. 3) Educate users to avoid opening PDFs from untrusted sources and to be cautious when interacting with file menus in PDF readers. 4) Employ endpoint detection and response (EDR) solutions to monitor for suspicious process executions, especially unexpected explorer.exe launches from unusual directories. 5) Use network segmentation and least privilege principles to limit the impact of any compromised endpoint. 6) Regularly audit and monitor file system directories where users commonly download or store PDFs to detect presence of suspicious executables. 7) Enforce strict policies on software installation and updates to ensure timely patching of vulnerable applications.