High-Severity Vim for Windows Flaw (CVE-2025-66476) Risks Arbitrary Code Execution from Compromised Folders
Ddos 
Ideally, text editors are passive tools—you open a file, edit it, and save it. But a new high-severity vulnerability in Vim for Windows turns that assumption on its head, potentially allowing attackers to execute malicious code simply because a user opened a file in a compromised directory.
The vulnerability, tracked as CVE-2025-66476, carries a CVSS score of 7.8 (High). It exploits a quirk in how Windows handles command execution to trick the editor into running malware instead of legitimate system tools.
The core of the issue lies in the order in which Vim looks for external programs when running on Windows. When the editor interacts with the command shell (cmd.exe), it prioritizes the local folder over the system’s safe paths.
According to the security advisory, “An uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file.”
This creates a dangerous scenario for developers who frequently clone repositories or open project folders received from others. “This enables an attacker to plant a trojanized executable with a commonly used name (e.g. findstr.exe) inside a project folder and have Vim execute it instead of the intended system binary.”
The vulnerability is triggered when a user performs common tasks that invoke external utilities. For example, if a developer runs a grep command to search for text within their project, Vim typically calls findstr.exe. If a malicious file named findstr.exe exists in that folder, Vim will unknowingly execute the malware.
The advisory warns that the flaw manifests “when Vim invokes tools such as findstr for grep, external commands or filters via :!, or compiler/:make commands.”
The vulnerability can be triggered by:
- Running :grep (using Windows findstr.exe)
- Executing external commands using :!
- Running :make build tools
- Using filter commands (!)
Because this attack leverages the inherent trust a user places in their workspace, it bypasses traditional security warnings. “Executing a malicious binary in this way allows arbitrary code execution with the privileges of the user running Vim, without requiring elevated permissions.”
The vulnerability was reported by Simon Zuckerbraun of Trend Micro’s Zero Day Initiative (ZDI). The Vim maintainers have acted quickly to close this loophole.
Affected Versions: Vim for Windows version 9.1.1946 and earlier. Fixed Version: Vim v9.1.1947.
Windows users are strongly urged to update their Vim installation immediately to prevent accidental code execution from untrusted project directories.
Donate