CVE-2025-2516

Vulnerability Description

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

Related Weaknesses (CWE)

CWE-326

References

https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enable

FAQ

What is CVE-2025-2516?

CVE-2025-2516 is a documented vulnerability. The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. As...

How severe is CVE-2025-2516?

CVSS scoring is not yet available for CVE-2025-2516. Check NVD for updates.

Is there a patch for CVE-2025-2516?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.