Overview
CVE-2025-63680 describes a critical vulnerability affecting Nero BackItUp within the Nero product line. This flaw allows for arbitrary code execution due to a path parsing/UI rendering issue combined with Windows ShellExecuteW fallback extension resolution. A malicious actor can leverage this vulnerability by crafting a specific file structure that, when clicked by a user within the Nero BackItUp interface, results in the execution of arbitrary code.
The vulnerability affects Nero BackItUp product lines from 2019 up to and including 2025 versions (and potentially earlier versions as well). The vendor, Nero, has acknowledged the existence of this vulnerability.
Technical Details
The vulnerability stems from a combination of factors:
- Path Parsing Flaw (CWE-22): Nero BackItUp improperly handles paths, specifically related to directory traversal or validation within its UI rendering component.
- Trailing-Dot Folder Creation: An attacker can create a folder with a trailing dot (e.g., “evil.”). Windows allows the creation of such folders, but they are often handled inconsistently by applications.
- Same-Basename Script: Inside the trailing-dot folder, the attacker places a script file with the same base name as the folder (e.g., “evil.bat”).
- UI Rendering Misinterpretation: Due to the path parsing flaw, Nero BackItUp’s UI incorrectly renders the malicious folder as a regular folder icon.
- ShellExecuteW Invocation & PATHEXT Fallback: When the user clicks on the seemingly legitimate folder in the Nero BackItUp interface, the application invokes the Windows ShellExecuteW API. ShellExecuteW, if it cannot directly execute a file based on its extension, utilizes the PATHEXT environment variable to determine possible executable extensions. This means if `evil.` is “executed”, the system checks `evil..COM`, `evil..EXE`, `evil..BAT`, and `evil..CMD`, in that order. Since the script file `evil.bat` exists, it will be executed.
CVSS Analysis
Currently, no CVSS score has been assigned to CVE-2025-63680. However, given the potential for arbitrary code execution with minimal user interaction, a high to critical severity rating is likely. A more accurate score will be available once a formal analysis has been completed.
Possible Impact
Successful exploitation of this vulnerability can lead to severe consequences, including:
- Arbitrary Code Execution: The attacker can execute arbitrary code on the victim’s system with the privileges of the user running Nero BackItUp.
- Malware Installation: The attacker can install malware, such as ransomware, keyloggers, or trojans.
- Data Theft: Sensitive data can be stolen from the compromised system.
- System Compromise: The attacker can gain complete control of the compromised system.
Mitigation or Patch Steps
The primary mitigation strategy is to apply the official patch or update provided by Nero as soon as it becomes available. Until a patch is released, consider the following temporary workarounds (although they may impact functionality):
- Avoid clicking on unfamiliar or suspicious folders within the Nero BackItUp interface.
- Disable Nero BackItUp’s automatic backup features until a patch is available. This reduces the attack surface.
- Monitor system activity for suspicious processes or file modifications.
Keep an eye on Nero’s official website and security advisories for the latest updates.
