A significant security vulnerability has been identified in Greenshot, the widely utilized open-source screenshot tool for Windows.
This flaw permits local adversaries to execute arbitrary code within the Greenshot process, facilitating potential circumvention of established security protocols and enabling further malicious activities.
A proof-of-concept (PoC) exploit has been made available, underscoring the gravity of the situation. This vulnerability impacts Greenshot version 1.3.300, which was released on August 20, 2025, as well as all earlier iterations.
The weakness has been rectified in the newly issued version 1.3.301. Users are strongly encouraged to update their software without delay to guard against possible exploitation.
Critical Vulnerability in Greenshot Screenshot Utility
The crux of this vulnerability resides in how Greenshot manages inter-process communication. The software inadequately processes data transmitted via the Windows WM_COPYDATA messaging framework.
The application employs BinaryFormatter.Deserialize to handle incoming data without prior validation of its source or integrity. This oversight permits any local process operating with equivalent user privileges to dispatch a specially crafted message to the primary Greenshot window, thus triggering the exploit.
At the heart of the issue is a logic flaw in the execution flow of the code. The application deserializes incoming data prior to confirming whether the communication channel is authorized.
As a result, any malicious code, or “gadget chain,” enclosed in the serialized payload executes automatically, irrespective of whether the sender is deemed trustworthy.
This vulnerability allows an assailant to run their own code under the aegis of the legitimate, digitally signed Greenshot application.
The ramifications of this vulnerability are profound, permitting arbitrary code execution within a trusted process. By executing malevolent payloads within Greenshot.exe, an attacker could potentially elude application control mechanisms like AppLocker or Windows Defender Application Control (WDAC).
These protective systems typically impose restrictions on which executables may run, but often fail to monitor the internal operations of already-trusted applications.
The release of a PoC highlights this, illustrating how a trivial payload can initiate the Windows Command Prompt (cmd[.]exe) directly from the Greenshot process.
For organizations, this presents a severe threat. If an attacker manages to establish a low-privilege foothold on a workstation, they could exploit the installed Greenshot application to execute code surreptitiously.
This method, colloquially termed “living inside a trusted app,” can facilitate persistence, lateral movement, or serve as a springboard for more complex in-process assaults without raising immediate alarms.
Currently, no known workarounds exist to address this flaw, rendering the upgrade to version 1.3.301 the sole viable solution.
Source link: Cybersecuritynews.com.
