Nero BackItUp Path Parsing and UI Spoofing Leads to Arbitrary Code Execution (CVE-2025-63680)

Advisory Date: 2025-11-12
CVE ID: CVE-2025-63680

Summary

A path parsing and UI rendering flaw in Nero BackItUp, in combination with Windows ShellExecuteW extension fallback resolution, allows arbitrary code execution when a user clicks a crafted entry in the built-in file browser. By creating a trailing-dot directory and placing a same-basename script file in the same folder, an attacker can make Nero BackItUp display the script as a folder icon and then execute it when the user clicks the entry.

This issue affects recent Nero BackItUp product lines (2019–2025 and earlier, as tested) and has been acknowledged by the vendor.

CVE ID and Severity

• CVE ID: CVE-2025-63680
• CWE: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CVSS v3.1 Score: 8.6 (High)
• Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

The following Nero BackItUp product lines are affected (as tested):

• Nero BackItUp – Nero 2025 Productline
• Nero BackItUp – Nero 2024 Productline
• Nero BackItUp – Nero 2023 Productline
• Nero BackItUp – Nero 2022 Productline
• Nero BackItUp – Nero 2021 Productline
• Nero BackItUp – Nero 2020 Productline
• Nero BackItUp – Nero 2019 Productline and earlier (likely affected)

Other versions may also be affected if they share the same file browser implementation.

Technical Details

Nero BackItUp includes a file browser UI that displays folders and files. On Windows, it is possible to create directories with a trailing dot using the \\?\ extended path syntax (for example, demo. ). When a same-basename file such as demo..cmd is placed in the same directory, Nero BackItUp mis-renders the file as a folder icon, effectively spoofing the real object type.

When the user clicks this spoofed entry, Nero BackItUp directly invokes ShellExecuteW on that path. ShellExecuteW follows the Windows PATHEXT fallback order (.COM;.EXE;.BAT;.CMD) when resolving executable files. This causes Windows to execute the attacker's script instead of opening a folder.

This vulnerability is caused by:

1. Lack of filtering/normalization of unsafe paths (trailing-dot directories).
2. Blind invocation of ShellExecuteW on user-clicked items.

Combined, these lead to arbitrary code execution in the security context of the current user.

Attack Scenario / Exploitation

An attacker can exploit this issue via the following steps:

1. Prepare a directory containing:

   • A trailing-dot folder (e.g., demo. ).
   • A same-basename script file (e.g., demo..cmd).

2. Convince a victim to open this directory using the Nero BackItUp file browser.

3. Nero BackItUp mis-renders the script file as a folder named demo.

4. When the victim clicks the spoofed folder icon, Nero BackItUp calls ShellExecuteW.

5. ShellExecuteW uses PATHEXT fallback logic and launches the attacker’s script.

User interaction is required (UI:R), but no privileges are required (PR:N).

Proof of Concept

The following PoC launches Calculator on Windows:

mkdir "\\?\%USERPROFILE%\Desktop\backitup-poc\demo. "
copy nul "\\?\%USERPROFILE%\Desktop\backitup-poc\demo . " >NUL
echo start calc>"\\?\%USERPROFILE%\Desktop\backitup-poc\demo ..cmd"

Impact

Successful exploitation allows arbitrary code execution as the current user, potentially leading to compromise of user data and backups.