OnlyShells vulnerability chain discovered in ONLYOFFICE
ONLYOFFICE Desktop Editors is an open‑source office suite used by over 15 million people worldwide, according to the developer. BI.ZONE TDR experts estimate that approximately 30% of Russian companies utilize this software.
Our vulnerability research team identified several issues in ONLYOFFICE Desktop Editors, which have been assigned CVE identifiers. The vulnerabilities CVE‑2025‑68917, CVE‑2025‑68935, and CVE‑2025‑68936 received a CVSS v3.1 score of 6.4. We also discovered CVE‑2026‑41030 and CVE‑2023‑2033 in the office suite. The developer was informed of these threats in accordance with our responsible disclosure policy and subsequently released an update to remediate them.
These threats impact organizations using ONLYOFFICE to view and edit office documents. The vulnerabilities stem from insufficient validation of user data and the use of outdated dependencies.
Exploitation of CVE‑2023‑2033, CVE‑2025‑68917, CVE‑2025‑68935, and CVE‑2025‑68936 allows an attacker to achieve arbitrary code execution on the operating system. The victim only needs to open a specially crafted office document. Following code execution, the offender can exploit CVE‑2026‑41030 to escalate privileges to an administrator in Windows environments.
To remediate the discovered vulnerabilities, we recommend updating ONLYOFFICE Desktop Editors to version 9.3.0. With BI.ZONE EDR, you can also successfully detect post‑exploitation activity associated with the OnlyShells vulnerability chain.