Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
AnalysisAI
ONLYOFFICE DesktopEditors versions before 9.3.0 allow local attackers to perform arbitrary file operations with SYSTEM privileges via the update service, resulting in denial of service through resource exhaustion or file manipulation. The vulnerability requires local access and operates without user interaction, making it a significant privilege-escalation risk in multi-user or compromised-account scenarios.
Technical ContextAI
ONLYOFFICE DesktopEditors includes an automatic update service that runs with elevated SYSTEM privileges. The vulnerability (CWE-669: Improper Control of a Resource Through its Lifetime) indicates the update service fails to properly validate or restrict file operations initiated by lower-privileged local users. This allows an unprivileged local process to invoke SYSTEM-level file actions, effectively bypassing privilege boundaries. The affected product spans all versions before 9.3.0 as identified by CPE cpe:2.3:a:ascensio:onlyoffice_desktopeditors:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade ONLYOFFICE DesktopEditors to version 9.3.0 or later immediately; this is the primary and officially released fix addressing the privilege-escalation flaw in the update service. Users unable to upgrade immediately should disable the automatic update service through application settings (typical path: Tools → Options → Update) and manually verify downloads from the official ONLYOFFICE repository before installing; this prevents malicious or unintended SYSTEM-privileged operations but requires manual security maintenance overhead. Alternatively, restrict local user access to the DesktopEditors installation and cache directories via file system ACLs on Windows (NTFS permissions) or Unix group/mode restrictions (e.g., chmod 750 for config directories) to prevent unprivileged processes from invoking the update mechanism; note this may break legitimate auto-update functionality and must be tested in your environment. For multi-user systems, monitor the update service process (e.g., DesktopEditorsUpdateService.exe on Windows) for unexpected invocations using EDR or Sysmon, setting alerts for any calls from non-standard accounts. Detailed upgrade instructions and release notes are in the GitHub changelog linked above.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23197