CVE-2025-4613
BaseFortify
Publication date: 2025-06-12
Last updated on: 2025-08-01
Assigner: Google Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| web_designer | to 16.3.0.0407 (exc) | |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-4613 is a client-side remote code execution vulnerability in Google Web Designer for Windows versions prior to 16.3.0.0407. It arises from improper URL parsing in the handling of remote assets within template metadata. Attackers can craft malicious ad templates containing URLs with path traversal sequences in the fragment portion, allowing them to write files outside the intended directory, such as the Windows Startup folder. When a user opens such a malicious template, the attacker-controlled files are downloaded and saved in locations that cause them to execute on the next user login, leading to remote code execution on the victim's machine. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain complete control over a victim's Windows machine by tricking users into opening malicious ad templates in Google Web Designer. The attacker can execute arbitrary code in the context of the user, potentially leading to privilege escalation and persistent compromise through files placed in the Startup folder that execute on user login. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious activity related to Google Web Designer templates, especially the presence of unexpected files in the Windows Startup folder (%HOMEPATH%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\) that could indicate exploitation. Since the exploit involves downloading files with path traversal in the URL fragment, you can check for unusual template files or remoteAssets URLs containing path traversal sequences (e.g., '..\') or batch files (.bat) in template directories. Commands to help detect this include: 1) Listing files in the Startup folder to find unexpected files: `dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"` 2) Searching template directories for suspicious files: `dir "%HOMEPATH%\Documents\Google Web Designer\templates" /s` 3) Using PowerShell to find recently created or modified files in the Startup folder: `Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }` 4) Reviewing network logs or proxy logs for HTTP requests from Google Web Designer to external hosts with URLs containing suspicious fragments or path traversal patterns. These steps can help identify signs of exploitation or attempted exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Google Web Designer to version 16.3.0.0407 or later, where the vulnerability is fixed. 2) Advise users not to open or use untrusted or unsolicited ad templates, especially those received via email or downloaded from unverified sources. 3) Remove any suspicious files from the Windows Startup folder that may have been placed by exploitation attempts. 4) Consider restricting network access or monitoring for downloads initiated by Google Web Designer to untrusted external hosts. 5) Educate users about the risk of opening malicious templates and encourage caution. These steps reduce the risk of exploitation and help protect affected systems until the update is applied. [1]