OnlyShells vulnerability chain discovered in ONLYOFFICE

OnlyShells vulnerability chain discovered in ONLYOFFICE

The flaw allows attackers to escalate system privileges. We notified the vendor of the findings, prompting the company to release a patch to fix the vulnerabilities
July 17, 2026

ONLYOFFICE Desktop Editors is an open‑source office suite used by over 15 million people worldwide, according to the developer. BI.ZONE TDR experts estimate that approximately 30% of Russian companies utilize this software.

Our vulnerability research team identified several issues in ONLYOFFICE Desktop Editors, which have been assigned CVE identifiers. The vulnerabilities CVE‑2025‑68917, CVE‑2025‑68935, and CVE‑2025‑68936 received a CVSS v3.1 score of 6.4. We also discovered CVE‑2026‑41030 and CVE‑2023‑2033 in the office suite. The developer was informed of these threats in accordance with our responsible disclosure policy and subsequently released an update to remediate them.

These threats impact organizations using ONLYOFFICE to view and edit office documents. The vulnerabilities stem from insufficient validation of user data and the use of outdated dependencies.

Exploitation of CVE‑2023‑2033, CVE‑2025‑68917, CVE‑2025‑68935, and CVE‑2025‑68936 allows an attacker to achieve arbitrary code execution on the operating system. The victim only needs to open a specially crafted office document. Following code execution, the offender can exploit CVE‑2026‑41030 to escalate privileges to an administrator in Windows environments.

In standard phishing attacks involving malicious macros, the adversary must trick the user into taking additional actions. With the discovered vulnerability chain, simply opening the file is enough—no further interaction is required, classifying it as a one‑click exploit. If successful, the attacker can execute arbitrary code with maximum privileges, effectively acting as the superuser. Modern security solutions fail to detect the exploitation of this chain, making it particularly dangerous as it can bypass defenses completely unnoticed.
Pavel Blinnikov
Vulnerability Research Lead

To remediate the discovered vulnerabilities, we recommend updating ONLYOFFICE Desktop Editors to version 9.3.0. With BI.ZONE EDR, you can also successfully detect post‑exploitation activity associated with the OnlyShells vulnerability chain.