Cyber Resilience

CVE-2025-27423

High

Published: 03 March 2025

Published
03 March 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0208 84.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27423 is a high-severity Command Injection (CWE-77) vulnerability in Vim Vim. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Vim's tar.vim plugin, distributed with the editor and used for viewing or editing tar archives, contains a command injection vulnerability. Starting in patch 9.1.0858, the plugin passes unsanitized content from the archive directly into the ":read" ex command. An attacker-supplied filename or header within a crafted tar file can therefore be interpreted literally by the shell configured via Vim's 'shell' option, resulting in arbitrary command execution. The flaw is tracked as CWE-77 and carries a CVSS 7.1 rating reflecting local access, low complexity, and the need for user interaction.

An attacker can exploit the issue by delivering a malicious tar archive that the victim opens or views with Vim. When tar.vim processes the archive, the embedded payload executes under the privileges of the Vim process, potentially reading or modifying files and altering system state. Success depends on the victim's shell configuration and whether they interact with the archive inside Vim; no remote network access or elevated privileges are required.

The vulnerability was addressed in Vim patch 9.1.1164. Official remediation guidance and the corresponding commits are published in the Vim GitHub repository and the GitHub Security Advisory GHSA-wfmf-8626-q3r3; NetApp has also issued a related advisory (NTAP-20250502-0002) for affected products.

The associated EPSS score has remained flat at 0.0208 with no material increase since disclosure.

EU & UK References

Vulnerability details

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line…

more

to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in Vim tar.vim plugin enables arbitrary Unix shell execution via malicious tar file opened by user, directly mapping to client exploitation (T1203), malicious file user execution (T1204.002), and Unix shell interpreter (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1215Same product: Vim Vim
CVE-2026-34714Same product: Vim Vim
CVE-2025-0509Same product: Netapp Hci Compute Node
CVE-2026-39881Same product: Vim Vim
CVE-2026-28421Same product: Vim Vim
CVE-2026-33412Same product: Vim Vim
CVE-2024-53700Same product class: NAS / storage appliance
CVE-2025-1861Same product class: NAS / storage appliance
CVE-2024-56171Same product: Netapp Hci Compute Node
CVE-2025-24813Same product: Netapp Hci Compute Node

Affected Assets

vim
vim
9.1.0858 — 9.1.1164
netapp
hci compute node
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of known vulnerabilities like CVE-2025-27423 through patching Vim to v9.1.1164 or later, directly eliminating the command injection in tar.vim.

prevent

Mandates validation and sanitization of inputs such as unsanitized tar filenames passed to Vim's ':read' command, preventing command injection exploitation.

detect

Facilitates identification of systems with vulnerable Vim versions via scanning, enabling proactive patching before exploitation of crafted tar archives.

References