Cyber Resilience

CVE-2025-59050

HighPublic PoC

Published: 16 September 2025

Published
16 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 57.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59050 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Getgreenshot Greenshot. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Inter-Process Communication (T1559); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59050 is a deserialization vulnerability in Greenshot, an open source Windows screenshot utility. Versions 1.3.300 and earlier are affected due to unsafe use of BinaryFormatter.Deserialize on attacker-controlled data received via a WM_COPYDATA message (message 74) in a WinForms WndProc handler. The handler copies the supplied bytes into a MemoryStream and deserializes them without prior validation or authentication, only checking channel authorization afterward, which allows gadget chains in the payload to execute regardless.

A local attacker with a process at the same integrity level as Greenshot can exploit this by sending a crafted WM_COPYDATA message to the Greenshot main window. This triggers arbitrary code execution within the Greenshot process, potentially enabling evasion of application control policies by running payloads inside the trusted, signed Greenshot.exe process.

The vulnerability is fixed in Greenshot version 1.3.301, as detailed in the project's security advisory (GHSA-8f7f-x7ww-xx5w) and the associated commit (f5a29a2ed3b0eb49231c0f4618300f488cf1b04d). No known workarounds exist.

EU & UK References

Vulnerability details

Greenshot is an open source Windows screenshot utility. Greenshot 1.3.300 and earlier deserializes attacker-controlled data received in a WM_COPYDATA message using BinaryFormatter.Deserialize without prior validation or authentication, allowing a local process at the same integrity level to trigger arbitrary code…

more

execution inside the Greenshot process. The vulnerable logic resides in a WinForms WndProc handler for WM_COPYDATA (message 74) that copies the supplied bytes into a MemoryStream and invokes BinaryFormatter.Deserialize, and only afterward checks whether the specified channel is authorized. Because the authorization check occurs after deserialization, any gadget chain embedded in the serialized payload executes regardless of channel membership. A local attacker who can send WM_COPYDATA to the Greenshot main window can achieve in-process code execution, which may aid evasion of application control policies by running payloads within the trusted, signed Greenshot.exe process. This issue is fixed in version 1.3.301. No known workarounds exist.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1559 Inter-Process Communication Execution
Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution.
Why these techniques?

Unsafe deserialization triggered via WM_COPYDATA IPC message enables local arbitrary code execution inside the Greenshot process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22035Same product: Getgreenshot Greenshot
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2026-21226Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2026-29782Shared CWE-502
CVE-2025-15579Shared CWE-502
CVE-2025-54007Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2026-26220Shared CWE-502

Affected Assets

getgreenshot
greenshot
≤ 1.3.301

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as WM_COPYDATA payloads prior to deserialization, preventing arbitrary code execution gadget chains.

prevent

Establishes processes to identify, prioritize, and remediate flaws like the unsafe BinaryFormatter.Deserialize usage by patching to version 1.3.301.

detect

Enables vulnerability scanning to identify and monitor systems running vulnerable Greenshot versions affected by CVE-2025-59050.

References