CVE-2025-5180 – This is a critical uncontrolled search path vul... (How to Fix)

Q: What is the severity of CVE-2025-5180?

CVE-2025-5180 has a CVSS score of 7.0 (HIGH). This is a critical uncontrolled search path vulnerability (DLL hijacking) in Wondershare Filmora's installer component. Attackers can exploit it by placing a malicious DLL in a location where the installer searches, potentially leading to arbitrary code execution. Only local attackers can exploit this vulnerability, requiring physical or remote access to the target system.

📋 TL;DR

This is a critical uncontrolled search path vulnerability (DLL hijacking) in Wondershare Filmora's installer component. Attackers can exploit it by placing a malicious DLL in a location where the installer searches, potentially leading to arbitrary code execution. Only local attackers can exploit this vulnerability, requiring physical or remote access to the target system.

💻 Affected Systems

Products:

Wondershare Filmora

Versions: 14.5.16 (specific version confirmed, other versions may be affected)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the installer component (NFWCHK.exe) which loads CRYPTBASE.dll from an uncontrolled search path.

📦 What is this software?

Filmora by Wondershare

View all CVEs affecting Filmora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing attackers to install malware, steal data, or create persistent backdoors.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user running the installer, enabling further system compromise.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from placing files in search paths or executing the vulnerable installer.

🌐 Internet-Facing: LOW - This vulnerability requires local access and cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Internal attackers with local access can exploit this vulnerability to gain elevated privileges or execute arbitrary code.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit requires local access and specific conditions to place malicious DLL in search path. Public exploit code is available but exploitation is described as difficult.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Monitor Wondershare's official channels for security updates and patch announcements.

🔧 Temporary Workarounds

Restrict installer execution

windows

Limit execution of NFWCHK.exe to trusted administrators only and prevent standard users from running the installer.

Use Windows Group Policy or application whitelisting to restrict execution of NFWCHK.exe

Secure DLL search paths

windows

Configure Windows to use SafeDllSearchMode and set appropriate directory permissions to prevent DLL hijacking.

Set registry key: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1
Restrict write permissions to directories in the DLL search path

🧯 If You Can't Patch

Remove or restrict access to NFWCHK.exe installer file from non-administrative users
Implement application control policies to prevent execution of untrusted DLLs in the search path

🔍 How to Verify

Check if Vulnerable:

Check if Wondershare Filmora version 14.5.16 is installed and if NFWCHK.exe exists in the installation directory. Verify if CRYPTBASE.dll can be loaded from uncontrolled paths.

Check Version:

Check Filmora version in Help > About menu or examine installation directory properties

Verify Fix Applied:

Check for updated version from Wondershare or verify that NFWCHK.exe no longer loads DLLs from uncontrolled search paths.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unusual locations
Process creation events for NFWCHK.exe followed by suspicious DLL loads

Network Indicators:

No network indicators - this is a local vulnerability

SIEM Query:

Process Creation where Image contains 'NFWCHK.exe' AND DLL Loaded from path not in (expected installation directories)

📊 Metadata

CVE ID: CVE-2025-5180

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-426

EPSS Score: 0.02% exploit probability (5.6th percentile)

Published: May 26, 2025

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/shellkraft/aa66561e984e83052bd080f195a3ec80 Exploit
https://vuldb.com/?ctiid.310268 Permissions Required,VDB Entry
https://vuldb.com/?id.310268 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.580226 Third Party Advisory,VDB Entry
https://gist.github.com/shellkraft/aa66561e984e83052bd080f195a3ec80 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5180, you might also want to check these: