CVE-2025-63680 is a vulnerability found in Nero BackItUp software versions spanning from 2019 through 2025. The issue stems from improper path parsing and UI rendering related to folder names ending with a trailing dot. Attackers can craft a folder with a trailing dot and place a script file sharing the same basename inside it. Nero BackItUp renders this folder as a folder icon in its UI, but when a user clicks on this crafted entry, the software calls the Windows API ShellExecuteW. Due to Windows ShellExecuteW's fallback extension resolution mechanism (PATHEXT), it attempts to execute the script file with executable extensions such as .COM, .EXE, .BAT, or .CMD. This results in arbitrary code execution under the context of the user running Nero BackItUp. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating a path traversal or parsing flaw. No CVSS score has been assigned yet, and no public exploits have been reported. The vendor has acknowledged the issue but has not yet released patches. The flaw requires user interaction (clicking the crafted entry) but does not require elevated privileges or prior authentication, making it a significant risk vector especially in environments where users interact with backup software regularly. The vulnerability affects the confidentiality, integrity, and availability of systems by allowing attackers to execute arbitrary code, potentially leading to full system compromise or lateral movement within networks.

For European organizations, the impact of CVE-2025-63680 can be substantial. Nero BackItUp is used by both consumers and enterprises for backup and recovery, meaning compromised systems could lead to data loss, ransomware deployment, or unauthorized access to sensitive information. The arbitrary code execution capability allows attackers to install malware, exfiltrate data, or disrupt backup operations, which are critical for business continuity. Enterprises relying on Nero BackItUp for backup may face operational disruptions if attackers exploit this vulnerability to corrupt backups or disable recovery processes. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be effective. Additionally, organizations with less mature endpoint security or user training are at higher risk. The vulnerability could also be leveraged as an initial foothold in a multi-stage attack chain, especially in environments where backup software runs with elevated privileges or interacts with network shares.

Immediate mitigation should focus on user education to avoid clicking suspicious or unexpected entries within Nero BackItUp interfaces. Organizations should implement strict access controls on backup directories to prevent unauthorized file creation, particularly restricting write permissions to trusted users only. Monitoring and alerting for unusual file or folder creation patterns involving trailing dots or suspicious script files can help detect exploitation attempts. Until official patches are released, consider isolating systems running Nero BackItUp from untrusted networks and disabling automatic execution features if possible. Employ application whitelisting to prevent execution of unauthorized scripts or binaries in backup directories. Regularly audit backup software configurations and update to the latest versions once patches become available. Endpoint detection and response (EDR) solutions should be tuned to detect ShellExecuteW calls triggered by unusual folder interactions. Finally, organizations should review and enhance their incident response plans to quickly address potential exploitation scenarios involving backup software.