CVE-2025-30057 Overview
CVE-2025-30057 is a command injection vulnerability in the UHCRTFDoc component. The flaw resides in the ConvertToPDF function, where the filename parameter is passed unsanitized into a system() call. Attackers on an adjacent network with low privileges can inject shell metacharacters into the parameter to execute arbitrary commands on the host. The weakness is classified under [CWE-94] Improper Control of Generation of Code. CERT Poland documented the issue alongside related findings tracked as CVE-2025-2313.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the process invoking ConvertToPDF, compromising confidentiality, integrity, and availability of the affected system.
Affected Products
- UHCRTFDoc component exposing the ConvertToPDF function
- Applications embedding UHCRTFDoc for RTF-to-PDF conversion
- Downstream deployments referenced in the CERT Poland CVE-2025-2313 Analysis
Discovery Timeline
- 2025-08-27 - CVE-2025-30057 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-30057
Vulnerability Analysis
The ConvertToPDF function in UHCRTFDoc constructs a shell command string that includes the caller-supplied filename parameter, then invokes the C runtime system() API. Because system() spawns a command interpreter, any shell metacharacters present in filename are interpreted rather than treated as literal path data. An attacker who controls or influences the filename argument can append commands using separators such as ;, &&, |, or backticks. The injected payload runs with the privileges of the process hosting UHCRTFDoc. The exposure is reachable from an adjacent network with low privileges and no user interaction, which broadens the realistic attacker population to any authenticated user on the same network segment.
Root Cause
The root cause is the absence of input validation and argument escaping before passing untrusted data into a shell-interpreted API. Safer alternatives such as execve-family functions with argument arrays, or strict allow-list validation of filename characters, would have prevented metacharacter interpretation. The defect maps to [CWE-94] Improper Control of Generation of Code.
Attack Vector
Exploitation requires submitting a crafted filename value to any code path that reaches ConvertToPDF. The attacker supplies a string that closes the legitimate argument and appends shell syntax to execute additional commands. Detailed reproduction steps are documented in the CERT Poland CVE-2025-2313 Analysis. No public proof-of-concept exploit code was released with this advisory at the time of writing.
Detection Methods for CVE-2025-30057
Indicators of Compromise
- Process telemetry showing the UHCRTFDoc-hosting binary spawning shell interpreters (sh, cmd.exe) or unexpected child processes such as curl, wget, powershell, or nc.
- RTF conversion requests containing filenames with shell metacharacters (;, |, &, `, $()).
- Outbound network connections originating from the conversion process immediately after a ConvertToPDF invocation.
Detection Strategies
- Inspect application and proxy logs for filename values that include non-printable characters or shell separators.
- Apply EDR rules that flag the document conversion process when it creates child processes outside an established baseline.
- Correlate file write events to temporary directories with subsequent process creation chains tied to the conversion service.
Monitoring Recommendations
- Enable command-line auditing on hosts running UHCRTFDoc and forward events to a central SIEM.
- Alert on any invocation of system()-equivalent APIs by the conversion binary using runtime instrumentation.
- Track network egress from servers performing RTF-to-PDF conversion and baseline expected destinations.
How to Mitigate CVE-2025-30057
Immediate Actions Required
- Restrict network access to systems exposing UHCRTFDoc conversion endpoints to trusted segments only.
- Reject filenames containing shell metacharacters at the application layer before invoking conversion routines.
- Run the conversion service under a least-privilege account with no shell access where possible.
Patch Information
No vendor patch is referenced in the NVD record at this time. Consult the CERT Poland CVE-2025-2313 Analysis for vendor coordination details and monitor the upstream project for updated builds. Apply fixes that replace the system() call with an argument-array execution API and add strict input validation.
Workarounds
- Wrap calls to ConvertToPDF with a sanitizer that enforces an allow-list of filename characters (alphanumerics, ., _, -).
- Disable the RTF-to-PDF conversion feature until a patched build is deployed if business processes permit.
- Isolate the conversion process inside a container or sandbox with no outbound network access and read-only filesystem mounts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
