CVE-2025-2516

Summary

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.

As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

Affected Software

VendorProductVersion RangeStatus
KingsoftWPS Office12.1.0.18276unknown

Weaknesses

  • CWE-326: CWE-326 Inadequate Encryption Strength

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References