Critical SAS Viya Vulnerability (CVE-2025-66516): Immediate Action Required

By Carrie Foreman, Managed Services Manager 

A newly identified security flaw in 3rd party components used by SAS Viya exposes systems to potential compromise through PDF processing. This vulnerability, tracked as CVE-2025-66516, poses a significant risk to data integrity and compliance if left unpatched. 

What’s the issue? 

A critical vulnerability—CVE-2025-66516—has been discovered in SAS Viya Stable 2025.08 and LTS 2025.03. This flaw is tied to the Apache Tika XXE (XML External Entity) issue and is rated CVSS 10.0, the highest possible severity. 

Who is at risk? 

• All users of SAS Viya Stable 2025.08 and LTS 2025.03. 

• If your Viya platform ingests PDFs (uploads, previews, or indexing), you are vulnerable. 

• Attackers can exploit this flaw using a single, maliciously crafted PDF to steal files or probe your internal network. 

Potential impact 

• Immediate risk: Unpatched systems are exposed to attack. 

• Attack vector: The flaw exploits how Apache Tika parses PDFs, turning document processing into a potential data breach. 

• Business impact: Sensitive data, customer information, or internal resources could be at risk if this isn’t addressed. 

What should you do? 

1. Check your SAS Viya version. Are you on Stable 2025.08 or LTS 2025.03? 
2. Upgrade ASAP. Move to Stable 2025.09+ or LTS 2025.09+ as these versions are not affected. 
3. Mitigate in the meantime:  
4. Restrict or sandbox PDF uploads from untrusted sources. 
5. Review your document parsing pipelines for exposure. 
6. Stay informed. Follow the official SAS Security Bulletin for updates and guidance.  

Need a hand? 

If you need assistance checking your SAS Viya version, expert guidance on upgrading or patching, or a thorough security review of your platform, contact Katalyze Data immediately. Our team specializes in securing and maintaining SAS environments, and we are ready to help you resolve this vulnerability and ensure your systems remain protected.  

Don’t wait—reach out to Katalyze Data now for prompt support and peace of mind.