CVE-2025-66476 – This CVE describes an uncontrolled search path ... (How to Fix)

Q: What is the severity of CVE-2025-66476?

CVE-2025-66476 has a CVSS score of 7.8 (HIGH). This CVE describes an uncontrolled search path vulnerability in Vim on Windows that allows arbitrary code execution. When Vim runs external commands via :grep, :!, or :make, it searches the current working directory before system paths, enabling attackers to place malicious executables that get executed. This affects Windows users running Vim with cmd.exe as the shell prior to version 9.1.1947.

📋 TL;DR

This CVE describes an uncontrolled search path vulnerability in Vim on Windows that allows arbitrary code execution. When Vim runs external commands via :grep, :!, or :make, it searches the current working directory before system paths, enabling attackers to place malicious executables that get executed. This affects Windows users running Vim with cmd.exe as the shell prior to version 9.1.1947.

💻 Affected Systems

Products:

Vim

Versions: All versions prior to 9.1.1947

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows when using cmd.exe as the shell. Other shells or operating systems are not affected.

📦 What is this software?

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to lateral movement, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or execution of malicious payloads when users edit files from untrusted directories.

🟢

If Mitigated

Limited impact if users only edit files from trusted directories and follow security best practices.

🌐 Internet-Facing: LOW - This is primarily a local attack vector requiring user interaction with malicious files.

🏢 Internal Only: MEDIUM - Internal users could be targeted via shared directories or phishing with malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening a file in Vim) and placing a malicious executable in the same directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.1947

Vendor Advisory: https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834

Restart Required: No

Instructions:

1. Download Vim 9.1.1947 or later from official sources. 2. Install the new version, overwriting the old installation. 3. Verify the version with 'vim --version'.

🔧 Temporary Workarounds

Change shell to PowerShell

windows

Use PowerShell instead of cmd.exe as Vim's shell to avoid the vulnerability.

set shell=powershell.exe
set shellcmdflag=-command

Avoid untrusted directories

all

Only edit files from trusted directories and avoid opening files from unknown sources.

🧯 If You Can't Patch

Implement strict file access controls to prevent users from editing files in untrusted directories.
Use application whitelisting to block execution of unauthorized executables from user directories.

🔍 How to Verify

Check if Vulnerable:

Check Vim version with 'vim --version'. If version is below 9.1.1947 and running on Windows with cmd.exe as shell, it is vulnerable.

Check Version:

vim --version | findstr "VIM"

Verify Fix Applied:

Verify version is 9.1.1947 or higher with 'vim --version' and test that external commands no longer search current directory first.

📡 Detection & Monitoring

Log Indicators:

Process creation events for unexpected executables from Vim's working directory
Vim spawning child processes with unusual names matching common tools (findstr.exe, grep.exe, etc.)

Network Indicators:

Unusual outbound connections from Vim processes

SIEM Query:

Process Creation where ParentImage contains 'vim.exe' and CommandLine contains current directory path indicators

📊 Metadata

CVE ID: CVE-2025-66476

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.02% exploit probability (3.1th percentile)

Published: December 2, 2025

Last Updated: January 30, 2026

🔗 References

https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25 Patch
https://github.com/vim/vim/releases/tag/v9.1.1947 Release Notes
https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/02/5 Mailing List,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66476, you might also want to check these: