CVE-2025-2516 CRITICAL

CVE-2025-2516: Use of a weak cryptographic key in the signature verification process in WPS Office

Weakness CWE-326 · Weak encryption
Published March 27, 2025
Last update March 27, 2025

CVSS base score

9.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber

What the vulnerability does

01Description

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

Key dates

02Disclosure timeline

March 27, 2025 CVE published
March 27, 2025 Record updated