Windows Greenshot Vulnerability Lets Attackers Execute Malicious Code — PoC Published

A critical security vulnerability in the popular Greenshot screenshot utility has been discovered that allows local attackers to execute arbitrary malicious code within the trusted application process.

The vulnerability, tracked as CVE-2025-59050, affects Greenshot versions up to 1.3.300 and has been patched in version 1.3.301 released on September 16, 2025.

Greenshot image editor interface showing capture options and screenshot destination settings on Windows 

Critical Deserialization Flaw Exposes Users to Local Attacks

The vulnerability stems from Greenshot’s unsafe handling of Windows inter-process communication through the WM_COPYDATA message system.

Security researcher RipFran discovered that the application directly deserializes attacker-controlled data using the dangerous BinaryFormatter.Deserialize() method without proper validation.

Greenshot screenshot utility settings and capture options interface on Windows 

When Greenshot processes WM_COPYDATA messages in its WndProc override function, it copies incoming bytes from any local process and immediately passes them to BinaryFormatter for deserialization.

This occurs before any authorization checks are performed, meaning malicious code can execute regardless of channel membership verification.

Diagram showing how a poisoned model in a chatbot can result in misinformation being delivered to users in a banking context, illustrating an RCE attack workflow.

The attack vector requires local access but no elevated privileges, making it particularly concerning for enterprise environments where attackers may already have a foothold on workstations.

Any local process running at a compatible integrity level can exploit this vulnerability by sending crafted messages to Greenshot’s main window.

GitHub repository security overview page highlighting security advisories and related alerts.

What makes this vulnerability especially dangerous is that malicious code executes within the legitimate Greenshot.exe process rather than creating new processes.

This enables sophisticated evasion techniques against application control policies like AppLocker or Windows Defender Application Control (WDAC) that primarily monitor executable launches.

The Greenshot image editor interface showing a screenshot being edited, illustrating the software affected by the vulnerability.

The researcher provided a proof-of-concept demonstration showing how an attacker can locate Greenshot’s window, build a serialized payload, and trigger code execution using SendMessage API calls.

In the demonstration, the exploit successfully spawned cmd.exe with Greenshot.exe as the parent process, proving arbitrary code execution capabilities.

Types of malware include virus, worms, rootkits, spyware, ransomware, and adware, illustrated around a central image of a hacker’s screen.

This in-process execution method allows attackers to run payloads entirely in memory without touching the filesystem, making detection significantly more challenging for traditional security solutions focused on file-based threats.

The Greenshot development team has released version 1.3.301 to address this critical vulnerability and strongly recommends all users update immediately.

The fix addresses the unsafe deserialization by implementing proper validation and security controls for inter-process communication handling.

Users should download the latest version exclusively from the official Greenshot website at getgreenshot.org to ensure they receive the legitimate patched version.

Organizations should prioritize this update in their patch management cycles given the potential for privilege escalation and security policy bypass.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.