Skip to main content
LiMP VPN
All news

OnlyShells: One Document Can Hijack ONLYOFFICE

OnlyShells: One Document Can Hijack ONLYOFFICE

In short: On 17 July 2026, researchers at BI.ZONE disclosed OnlyShells — a chain of five vulnerabilities in ONLYOFFICE Desktop Editors that turns a single office document into a full takeover of a Windows PC. Just opening a specially crafted file (a 1-click attack, no macros or prompts) lets an attacker run code and escalate to administrator rights, and mainstream security tools may not spot it. A fix shipped in ONLYOFFICE Desktop Editors 9.3.0 — updating now is the one step that closes the hole.

What happened

On 17 July 2026, the vulnerability research team at Russian vendor BI.ZONE published details of OnlyShells, a chain of flaws in ONLYOFFICE Desktop Editors, the free office suite used to open and edit documents, spreadsheets and presentations. The disclosure was covered the same day by Anti-Malware.ru and CNews. BI.ZONE reported the issues to the developer under responsible disclosure, and a patched build was released before the details went public.

ONLYOFFICE is widely deployed: BI.ZONE estimates it is used by roughly 30% of Russian companies, with more than 15 million users worldwide — so a flaw that triggers on merely opening a document has a very large potential blast radius.

What the vulnerability chain actually is

OnlyShells is not one bug but five chained together: CVE-2025-68917, CVE-2025-68935 and CVE-2025-68936 (each rated 6.4 on CVSS 3.1), plus CVE-2023-2033 and CVE-2026-41030. Individually the ratings look modest, but linked in sequence they escalate sharply — first arbitrary code execution when the document is parsed, then privilege escalation via CVE-2026-41030 to a fully privileged (superuser) account on Windows.

BI.ZONE traces the root causes to insufficient validation of user-supplied data and outdated third-party dependencies bundled with the editor. Pavel Blinnikov, who leads vulnerability research at BI.ZONE, warned that modern security tools may fail to detect exploitation of this chain — the user simply opens a file, and the machine quietly starts working against them.

Why this is dangerous for your data

The defining trait of OnlyShells is that it is a 1-click attack. There is no macro warning to ignore, no permission dialog to click through — opening the document is the entire exploit. That is exactly the action people perform dozens of times a day without thinking, on invoices, contracts and "documents from a colleague."

Once code runs with administrator rights, an attacker effectively owns the machine: passwords lifted from the browser, banking and email sessions hijacked, files encrypted by ransomware, or a persistent backdoor installed. And because standard defences may not flag the chain, the compromise can stay silent. The more of your data has already surfaced elsewhere — as in the billion-record infostealer leak we reported — the more precisely such an attack can be aimed at you.

How to protect yourself

Update ONLYOFFICE Desktop Editors to 9.3.0 or later. This version fixes the whole chain. Download it from the official onlyoffice.com and reinstall over your current copy — this is the only step that actually closes the hole.

Do not open documents from untrusted sources. The attack needs you to open a malicious file, so treat unexpected attachments — even harmless-looking .docx, .xlsx or .pptx — with suspicion; our guide on protecting accounts from hijacking covers the warning signs.

Use a password manager and two-factor authentication. If code does run on your machine, unique passwords in a password manager plus 2FA limit how far an attacker can travel with what they steal.

Encrypt your connection on untrusted networks. A VPN does not patch a program flaw — only the update does that. But it complements patching: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so others on the same network cannot intercept the logins and sessions you send to banking, mail or work portals. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more security news on our blog.

Should I worry if I do not use ONLYOFFICE?

If ONLYOFFICE Desktop Editors is not installed, this specific chain does not affect you — but the lesson generalises. Any office suite, PDF reader or media player that opens files from outside can carry a parsing bug that turns into a 1-click attack. Keep every such program updated, install from official sources, and be wary of unexpected attachments regardless of which app opens them. The habit matters more than any single patch.

Sources

This report is based on the OnlyShells disclosure by BI.ZONE, 17 July 2026, as reported by Anti-Malware.ru and CNews, July 2026.

OnlyShells: One Document Can Hijack ONLYOFFICE | LiMP VPN