What is the CVSS score of CVE-2025-4613?

CVE-2025-4613 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Windows are affected by CVE-2025-4613?

Google Web Designer versions prior to 16.3.0.0407 contain a path traversal vulnerability allowing remote code execution through malicious ad templates, affecting designers and marketing teams who may…. A patch is available.

Is there a public PoC exploit available for CVE-2025-4613?

Yes, a public proof-of-concept exploit is available for CVE-2025-4613. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-4613?

Within 24 hours: Identify all Google Web Designer installations on Windows systems and document current versions. Within 7 days: Deploy Google Web Designer version 16.3.0.0407 or later to all affected systems; enforce administrative controls to prevent template downloads from untrusted sources. Within 30 days: Conduct security awareness training targeting design and marketing teams on social engineering risks related to external template sharing, and implement application whitelisting policies to restrict Web Designer's execution scope.

Windows CVE-2025-4613

EUVD-2025-18165 HIGH

Improper Input Validation (CWE-20)

2025-06-12 cve-coordination@google.com

RCE Path Traversal Google Windows Web Designer

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:39 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

16.3.0.0407

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18165

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

PoC Detected

Aug 01, 2025 - 22:07 vuln.today

Public exploit code

CVE Published

Jun 12, 2025 - 09:15 nvd

HIGH 8.8

DescriptionCVE.org

Path traversal in Google Web Designer's template handling versions prior to 16.3.0.0407 on Windows allows attacker to achieve remote code execution by tricking users into downloading a malicious ad template

AnalysisAI

Path traversal vulnerability in Google Web Designer's template handling mechanism that enables remote code execution when users are socially engineered into downloading malicious ad templates. Versions prior to 16.3.0.0407 on Windows are affected, and the vulnerability requires user interaction (UI:R) but has no authentication requirements (PR:N). While CVSS 8.8 indicates high severity with complete confidentiality, integrity, and availability impact, exploitation probability and KEV status information is not provided in the available intelligence.

Technical ContextAI

The vulnerability exists in Google Web Designer's ad template handling functionality on Windows platforms, where insufficient input validation (CWE-20: Improper Input Validation) allows attackers to exploit path traversal mechanisms. The vulnerability likely permits directory traversal sequences (e.g., ../ or absolute paths) in template file paths, enabling an attacker to write or execute arbitrary code outside the intended template directory. Google Web Designer is a WYSIWYG editor for creating HTML5-based ads; the template system is designed to import pre-built designs, but inadequate sanitization of file paths within these templates creates a privilege escalation path from template import to code execution. The Windows-specific nature suggests OS-level path resolution differences (backslash handling, UNC paths, or alternate data streams) may be exploited.

RemediationAI

Immediate patching is required: (1) Update Google Web Designer to version 16.3.0.0407 or later on all affected Windows systems; (2) If immediate patching is not feasible, implement network-level controls restricting user downloads of ad templates from untrusted sources or disable template import functionality via group policy on Windows; (3) educate users against downloading ad templates from unverified or suspicious sources, particularly from email or unencrypted communication channels; (4) consider running Google Web Designer in isolated virtual environments or containers to limit code execution impact; (5) monitor for suspicious template imports or unusual file system activity in Web Designer working directories. Vendor advisory and patch download links should be obtained directly from Google's official security advisory or Web Designer release notes.

More from same product – last 7 days

CVE-2026-12440 CRITICAL Act Now

9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po

CVE-2026-12466 HIGH This Week

8.8 Jun 17

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute

CVE-2026-12437 HIGH This Week

8.3 Jun 17

Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had comprom

CVE-2026-12449 HIGH This Week

7.8 Jun 17

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-

CVE-2026-12461 MEDIUM This Month

6.5 Jun 17

Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot

CVE-2025-4613 vulnerability details – vuln.today

Back

Windows CVE-2025-4613

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code