How to fix CVE-2025-66476?

Within 24 hours: Identify all Windows systems running Vim and document versions in use. Within 7 days: Upgrade Vim to version 9.1.1947 or later on all affected systems; prioritize development, engineering, and administrative workstations. Within 30 days: Validate patch deployment across the organization and update endpoint security policies to restrict execution from user-writable directories.

Is Ubuntu affected by CVE-2025-66476?

Vim on Windows systems prior to version 9.1.1947 is vulnerable to arbitrary code execution through malicious executables placed in the same directory as edited files.

CVE-2025-66476

EUVD-2025-200373 HIGH

2025-12-02 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200373

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

Patch Released

Mar 15, 2026 - 14:04 nvd

Patch available

CVE Published

Dec 02, 2025 - 22:16 nvd

HIGH 7.8

Description

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Analysis

Technical Context

This vulnerability is classified as Uncontrolled Search Path Element (CWE-427).

Affected Products

Affected products: Vim Vim

Remediation

A vendor patch is available. Apply it as soon as possible and verify the fix.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

Vendor Status

Ubuntu

Priority: Medium

vim

Release	Status	Version
upstream	not-affected	debian: Only affects Vim on Windows
bionic	not-affected	windows only
focal	not-affected	windows only
jammy	not-affected	windows only
noble	not-affected	windows only
plucky	not-affected	windows only
questing	not-affected	windows only
trusty	not-affected	windows only
xenial	not-affected	windows only

Debian

vim

Release	Status	Fixed Version	Urgency
bullseye	fixed	2:8.2.2434-3+deb11u1	-
bullseye (security)	fixed	2:8.2.2434-3+deb11u3	-
bookworm	fixed	2:9.0.1378-2+deb12u2	-
trixie	fixed	2:9.1.1230-2	-
forky	fixed	2:9.1.2141-1	-
sid	fixed	2:9.2.0136-1	-
(unstable)	not-affected	-	-

CVE-2025-66476 vulnerability details – vuln.today

Back

CVE-2025-66476

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-66476

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code