CVE-2026-25792 Overview
CVE-2026-25792 is an untrusted executable search path vulnerability (CWE-426) affecting Greenshot, a popular open source Windows screenshot utility. The vulnerability allows a local attacker to execute arbitrary code by exploiting how the application launches explorer.exe without using an absolute path when the user interacts with the system tray icon.
Critical Impact
Local attackers can achieve code execution in the context of the Greenshot application by placing a malicious executable in a directory that is searched before the legitimate Windows system directory.
Affected Products
- Greenshot version 1.3.312 and below
- getgreenshot greenshot (all affected versions)
Discovery Timeline
- 2026-03-20 - CVE-2026-25792 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-25792
Vulnerability Analysis
This vulnerability is classified as an Untrusted Search Path vulnerability (CWE-426), commonly known as binary hijacking or DLL planting. The flaw exists in how Greenshot invokes the Windows Explorer process when a user double-clicks on the application's system tray icon to open the directory containing their most recent screenshot.
When Greenshot needs to open the screenshot directory, it calls explorer.exe without specifying the full absolute path to the Windows system binary. Windows follows a specific search order when locating executables, checking several directories before reaching the legitimate C:\Windows\explorer.exe. This creates a window of opportunity for attackers who have write access to directories earlier in the search path.
The vulnerability requires local access and user interaction (double-clicking the tray icon), but once triggered, the attacker's malicious code executes with the same privileges as the Greenshot application.
Root Cause
The root cause is the insecure practice of calling system executables without using fully-qualified absolute paths. When Greenshot invokes explorer.exe to open the screenshot directory, it relies on the Windows PATH environment variable to locate the executable rather than explicitly specifying C:\Windows\explorer.exe or using proper Windows API calls that would safely resolve the system binary location.
Attack Vector
The attack requires a local attacker to place a malicious executable named explorer.exe in a directory that Windows searches before the C:\Windows\ system directory. Common hijacking locations include the current working directory or directories added to the beginning of the PATH environment variable.
The attack sequence involves the attacker first gaining write access to a directory in the executable search path, then planting a malicious explorer.exe in that location. When the victim double-clicks the Greenshot tray icon, the application attempts to open the screenshot folder, but instead executes the attacker's malicious binary. The malicious code then runs with the privileges of the Greenshot process.
For technical details on this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-25792
Indicators of Compromise
- Presence of explorer.exe in non-standard locations such as user-writable directories, application folders, or TEMP directories
- Process execution of explorer.exe from paths other than C:\Windows\explorer.exe
- Unexpected child processes spawned by Greenshot that do not match normal application behavior
Detection Strategies
- Monitor for explorer.exe executions where the image path does not match C:\Windows\explorer.exe
- Configure endpoint detection to alert on newly created executables named explorer.exe in user-writable directories
- Implement application allowlisting to restrict execution of binaries from untrusted paths
- Use SentinelOne's behavioral AI to detect anomalous process creation patterns from Greenshot
Monitoring Recommendations
- Enable process creation auditing (Event ID 4688) with command line logging to capture full executable paths
- Monitor file system changes in directories that appear early in the system PATH variable
- Review Greenshot-related process trees for unexpected child processes or suspicious behaviors
How to Mitigate CVE-2026-25792
Immediate Actions Required
- Restrict write permissions on directories that appear in the system PATH environment variable
- Audit systems for unauthorized executables named after common Windows binaries in user-writable locations
- Consider temporary removal of Greenshot until a patched version becomes available
- Implement application control policies to prevent execution of binaries from non-standard locations
Patch Information
This vulnerability did not have an official patch at the time of publication. Users should monitor the GitHub Security Advisory for updates from the Greenshot development team regarding a security fix.
Workarounds
- Avoid double-clicking the Greenshot tray icon to open screenshot directories; navigate to screenshot folders manually through Windows Explorer
- Remove write permissions from directories in the executable search path for non-administrative users
- Deploy application allowlisting solutions to prevent execution of unsigned or untrusted explorer.exe binaries
- Consider using alternative screenshot utilities until a patched version of Greenshot is released
# Review PATH directories for potential hijacking locations
echo %PATH%
# Verify Greenshot is running from expected location
wmic process where "name='greenshot.exe'" get ExecutablePath
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
