CVE-2025-27423
Published: 03 March 2025
Summary
CVE-2025-27423 is a high-severity Command Injection (CWE-77) vulnerability in Vim Vim. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Vim's tar.vim plugin, distributed with the editor and used for viewing or editing tar archives, contains a command injection vulnerability. Starting in patch 9.1.0858, the plugin passes unsanitized content from the archive directly into the ":read" ex command. An attacker-supplied filename or header within a crafted tar file can therefore be interpreted literally by the shell configured via Vim's 'shell' option, resulting in arbitrary command execution. The flaw is tracked as CWE-77 and carries a CVSS 7.1 rating reflecting local access, low complexity, and the need for user interaction.
An attacker can exploit the issue by delivering a malicious tar archive that the victim opens or views with Vim. When tar.vim processes the archive, the embedded payload executes under the privileges of the Vim process, potentially reading or modifying files and altering system state. Success depends on the victim's shell configuration and whether they interact with the archive inside Vim; no remote network access or elevated privileges are required.
The vulnerability was addressed in Vim patch 9.1.1164. Official remediation guidance and the corresponding commits are published in the Vim GitHub repository and the GitHub Security Advisory GHSA-wfmf-8626-q3r3; NetApp has also issued a related advisory (NTAP-20250502-0002) for affected products.
The associated EPSS score has remained flat at 0.0208 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6012
Vulnerability details
Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line…
more
to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Vim tar.vim plugin enables arbitrary Unix shell execution via malicious tar file opened by user, directly mapping to client exploitation (T1203), malicious file user execution (T1204.002), and Unix shell interpreter (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of known vulnerabilities like CVE-2025-27423 through patching Vim to v9.1.1164 or later, directly eliminating the command injection in tar.vim.
Mandates validation and sanitization of inputs such as unsanitized tar filenames passed to Vim's ':read' command, preventing command injection exploitation.
Facilitates identification of systems with vulnerable Vim versions via scanning, enabling proactive patching before exploitation of crafted tar archives.