A high-severity vulnerability has been identified in multiple Nero products, specifically within the Nero BackItUp component. An attacker can exploit this flaw by creating a malicious file that, when clicked by a user within the Nero software, can execute arbitrary code and lead to a complete compromise of the user's system.

The vulnerability is a path parsing and UI rendering flaw (CWE-22: Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal') within the Nero BackItUp application. An attacker can craft a special backup entry or file that causes the user interface to display a misleading or benign file name. When a user clicks on this entry, the application combines the flawed path parsing with a standard Windows feature (ShellExecuteW fallback extension resolution), which can cause the operating system to execute a malicious file (e.g., an .exe or .bat file) instead of opening the intended, safe file. This requires user interaction but results in arbitrary code execution with the privileges of the logged-in user.

This is a High severity vulnerability with a CVSS score of 8.6. Successful exploitation could grant an attacker control over an affected endpoint, leading to significant business risks. These risks include the theft of sensitive corporate or personal data, installation of ransomware, deployment of persistent malware for long-term espionage, or using the compromised system as a pivot point to attack other resources on the corporate network. The requirement for user interaction makes this an ideal vulnerability to be leveraged in targeted phishing or social engineering campaigns.

Immediate Action: Apply the security updates released by Nero to all affected systems immediately. After patching, review system and application logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Monitor endpoint security logs for suspicious process creation originating from Nero applications (e.g., BackItUp.exe spawning cmd.exe, powershell.exe, or other unexpected processes).
• Implement file integrity monitoring on directories related to Nero products to detect the creation of unusual or malicious files.
• Analyze network traffic for unexpected outbound connections from workstations running Nero software, which could indicate a command-and-control (C2) channel established after a successful exploit.

Compensating Controls:

• If immediate patching is not possible, implement application control policies (e.g., AppLocker, WDAC) to restrict the execution of unauthorized applications from common user-writable locations like Downloads or AppData.
• Deploy and configure an Endpoint Detection and Response (EDR) solution to detect and block the anomalous process chains associated with this exploit.
• Conduct user awareness training to warn employees about the risks of opening or restoring from untrusted backup files.

Public Exploit Available: false

Due to the High severity rating (CVSS 8.6) and the potential for complete system compromise, organizations are strongly advised to prioritize the deployment of vendor-supplied security updates to all affected systems. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact warrants immediate attention and remediation. If patching cannot be performed immediately, the compensating controls listed above should be implemented as a temporary measure to reduce the risk of exploitation.