CVE-2025-27423

High

Published: 03 March 2025

Published

03 March 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0208 84.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27423 is a high-severity Command Injection (CWE-77) vulnerability in Vim Vim. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of known vulnerabilities like CVE-2025-27423 through patching Vim to v9.1.1164 or later, directly eliminating the command injection in tar.vim.

SI-10 Information Input Validation good match

prevent

Mandates validation and sanitization of inputs such as unsanitized tar filenames passed to Vim's ':read' command, preventing command injection exploitation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates identification of systems with vulnerable Vim versions via scanning, enabling proactive patching before exploitation of crafted tar archives.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in Vim tar.vim plugin enables arbitrary Unix shell execution via malicious tar file opened by user, directly mapping to client exploitation (T1203), malicious file user execution (T1204.002), and Unix shell interpreter (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line…

to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

Deeper analysisAI

CVE-2025-27423 is a command injection vulnerability in the tar.vim plugin distributed with Vim, an open source command-line text editor. Starting with Vim version 9.1.0858, the plugin uses the ":read" ex command to append tar archive content below the cursor, but fails to sanitize filenames extracted from the archive. This allows attackers to execute arbitrary shell commands by crafting malicious tar files, with execution depending on the configured shell option set via the $SHELL environment variable. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-77: Command Injection. It was fixed in Vim patch v9.1.1164.

An attacker with local access can exploit this vulnerability by providing a specially crafted tar archive (compressed or uncompressed) to a victim. Exploitation requires the user to open the malicious tar file in Vim while the tar.vim plugin is active, triggering the unsanitized ":read" command and potential shell command execution. Successful exploitation grants high-impact confidentiality and integrity violations, such as reading sensitive files or modifying system state, but no availability impact. No privileges are required beyond local access, though user interaction is necessary.

Vim developers addressed the issue in patch v9.1.1164, with fixes detailed in GitHub commits 129a8446d23cd9cb4445fcfea259cba5e0487d29 and 334a13bff78aa0ad206bc436885f63e3a0bab399, as documented in the GitHub security advisory GHSA-wfmf-8626-q3r3. Vendors like NetApp have also issued advisories, such as ntap-20250502-0002, recommending updates to patched Vim versions for affected products. Security practitioners should ensure Vim installations are updated to v9.1.1164 or later and advise users to avoid opening untrusted tar archives in Vim.

Details

CWE(s): CWE-77

Affected Products

vim

9.1.0858 — 9.1.1164

netapp

hci compute node

all versions

CVEs Like This One

CVE-2025-1215Same product: Vim Vim

CVE-2026-34714Same product: Vim Vim

CVE-2025-0509Same product: Netapp Hci Compute Node

CVE-2026-39881Same product: Vim Vim

CVE-2026-28421Same product: Vim Vim

CVE-2026-33412Same product: Vim Vim

CVE-2025-1861Same product class: NAS / storage appliance

CVE-2024-53700Same product class: NAS / storage appliance

CVE-2024-56171Same product: Netapp Hci Compute Node

CVE-2025-24813Same product: Netapp Hci Compute Node

References

https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29
Patch · security-advisories@github.com
https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399
Patch · security-advisories@github.com
https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3
Vendor Advisory · security-advisories@github.com
https://security.netapp.com/advisory/ntap-20250502-0002/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108