Login Sign Up

CVE-2025-59050

8.4 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows a local attacker to execute arbitrary code within the Greenshot screenshot utility process by sending malicious WM_COPYDATA messages. Attackers can bypass application control policies by running payloads inside the trusted Greenshot.exe process. All Windows users running Greenshot version 1.3.300 or earlier are affected.

💻 Affected Systems

Products:
  • Greenshot
Versions: 1.3.300 and earlier
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All Windows installations of affected Greenshot versions are vulnerable by default.

📦 What is this software?

Greenshot by Getgreenshot

View all CVEs affecting Greenshot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, data theft, or malware deployment via Greenshot's process context.

🟠

Likely Case

Local attackers achieving code execution within Greenshot's process to bypass security controls or maintain persistence.

🟢

If Mitigated

Limited impact if proper network segmentation and endpoint protection are in place, though local exploitation risk remains.

🌐 Internet-Facing: LOW - This is a local-only vulnerability requiring process interaction on the same system.
🏢 Internal Only: HIGH - Any local process at the same integrity level can exploit this vulnerability without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and ability to send WM_COPYDATA messages to the Greenshot window, but no authentication is needed beyond having a process at the same integrity level.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.301

Vendor Advisory: https://github.com/greenshot/greenshot/security/advisories/GHSA-8f7f-x7ww-xx5w

Restart Required: Yes

Instructions:

1. Download Greenshot version 1.3.301 or later from the official GitHub repository. 2. Uninstall the old version. 3. Install the new version. 4. Restart the system to ensure all Greenshot processes are updated.

🔧 Temporary Workarounds

No known workarounds

windows

The advisory states no known workarounds exist for this vulnerability.

🧯 If You Can't Patch

  • Uninstall Greenshot completely from affected systems
  • Implement strict application control policies to prevent unauthorized processes from interacting with Greenshot

🔍 How to Verify

Check if Vulnerable:

Check Greenshot version in Help → About menu. If version is 1.3.300 or earlier, the system is vulnerable.

Check Version:

Check Greenshot.exe properties or use 'wmic product where name="Greenshot" get version' in command prompt

Verify Fix Applied:

Verify Greenshot version is 1.3.301 or later in Help → About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from Greenshot.exe
  • Suspicious WM_COPYDATA message activity in Windows event logs

Network Indicators:

  • This is a local-only vulnerability with no network indicators

SIEM Query:

Process Creation where ParentImage contains 'Greenshot.exe' AND NOT (Image contains expected child processes)

📊 Metadata

CVE ID: CVE-2025-59050
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.16% exploit probability (37.1th percentile)
Published: September 16, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59050, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)