CVE-2025-2516

EPSS 0.12%
Veröffentlicht 27.03.2025 14:29:22
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@eset.com
CVE-Watchlists
Login
Unerledigt
Login

Use of a weak cryptographic key in the signature verification process in WPS Office

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.

As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerKingsoft

≫

Produkt WPS Office

Default Statusunknown

Version 12.1.0.18276

Status unknown

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.022

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@eset.com	9.5	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

https://nvd.nist.gov/vuln/detail/CVE-2025-2516

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2516

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2516

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-2516