CVE-2025-63680 is a vulnerability identified in the Nero BackItUp software line spanning versions from 2019 to 2025 and earlier. The root cause is a path traversal and UI rendering flaw classified under CWE-22. Specifically, the software incorrectly handles folder names with trailing dots, which Windows normally disallows but can be exploited here. An attacker can create a folder with a trailing dot and place a malicious script file sharing the same basename inside it. Nero BackItUp then renders this script as a folder icon in its UI. When a user clicks this crafted folder entry, the software calls the Windows API ShellExecuteW to open it. Due to Windows ShellExecuteW’s fallback extension resolution behavior (PATHEXT), the system executes the malicious script file with extensions such as .COM, .EXE, .BAT, or .CMD. This results in arbitrary code execution under the context of the logged-in user without requiring elevated privileges. The vulnerability requires user interaction (clicking the crafted entry) but no prior authentication or complex conditions. The flaw impacts confidentiality, integrity, and availability by allowing attackers to run arbitrary code, potentially leading to system compromise, data theft, or ransomware deployment. The vendor has acknowledged the issue, but no patches or public exploits are currently available. The CVSS 3.1 score of 8.6 reflects a high severity due to low attack complexity, no privileges required, user interaction needed, and a scope change (code execution).

For European organizations, this vulnerability poses a significant risk especially to those relying on Nero BackItUp for critical data backup and recovery. Successful exploitation can lead to arbitrary code execution, enabling attackers to install malware, exfiltrate sensitive data, or disrupt backup operations. This can compromise business continuity and data integrity, particularly in sectors like finance, healthcare, and government where backups are vital. The requirement for user interaction means phishing or social engineering could be used to trick users into clicking malicious entries. The vulnerability’s ability to execute code with user-level privileges can be leveraged to escalate privileges or move laterally within networks. Given the widespread use of Windows environments and Nero products in Europe, the threat could affect a broad range of enterprises, SMBs, and public institutions. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score indicates urgency in addressing the flaw before active exploitation emerges.

1. Monitor for vendor updates and apply patches immediately once released to address the path parsing/UI rendering flaw. 2. Until patches are available, restrict user ability to click or interact with backup entries that originate from untrusted or external sources. 3. Educate users about the risk of clicking unexpected or suspicious backup entries, emphasizing caution with UI elements that resemble folders but may be malicious. 4. Implement application whitelisting and endpoint protection solutions that can detect and block execution of unauthorized scripts or binaries launched via ShellExecuteW. 5. Use Windows Group Policy to disable or restrict execution of scripts with extensions commonly exploited via PATHEXT fallback (e.g., .BAT, .CMD) in user directories or backup folders. 6. Employ network segmentation to limit the spread of malware if arbitrary code execution occurs. 7. Regularly audit backup files and folder structures for anomalous naming patterns such as trailing dots or suspicious scripts. 8. Enhance logging and monitoring to detect unusual ShellExecuteW invocations or user interactions with backup software UI components.