SumatraPDF 3.5.2 Remote Code Execution via Unverified Update Mechanism
What Happened – A critical flaw (CVE‑2026‑25961) in SumatraPDF 3.5.0‑3.5.2 disables TLS hostname verification and skips signature checks when downloading update installers. An attacker positioned on the network can perform a man‑in‑the‑middle (MITM) attack, serve a malicious installer, and achieve remote code execution when the user clicks “Install”.
Why It Matters for TPRM –
- The vulnerability can be weaponised against any organisation that allows employees to install or update desktop PDF readers on corporate machines.
- Exploitation bypasses traditional perimeter defenses because the malicious payload is delivered over a legitimate HTTPS request.
- Compromise of a single endpoint can lead to lateral movement, data exfiltration, or ransomware deployment across the supply chain.
Who Is Affected – All industries that permit the use of SumatraPDF on Windows workstations (e.g., TECH_SAAS, FIN_SERV, HEALTH_LIFE, GOV_PUBLIC, EDU_RESEARCH, MEDIA_ENT, etc.).
Recommended Actions –
- Immediately verify that no endpoint runs SumatraPDF 3.5.2 or earlier; upgrade to the patched version or replace with a vetted PDF viewer.
- Enforce strict TLS inspection and certificate pinning for all update‑related traffic.
- Apply network‑level controls (DNSSEC, secure DNS, authenticated proxy) to prevent MITM redirection.
- Review endpoint hardening policies to require admin‑only installation of software.
Technical Notes – The flaw stems from the use of INTERNET_FLAG_IGNORE_CERT_CN_INVALID during update checks and the absence of any code‑signing verification. CVSS 3.1 scores 7.5 (High): AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Exploitation requires a network‑positioned adversary (rogue Wi‑Fi, compromised router, DNS hijack, or upstream proxy). No public exploit code is needed beyond the malicious update server component. Source: Exploit‑DB 52535