A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability.
The vulnerability, identified in Greenshot version 1.3.300 (released on August 20, 2025), primarily affects Windows users who run this version or any earlier iterations of the application. The core issue lies in how Greenshot processes incoming data through the Windows messaging framework, specifically the WM_COPYDATA message.
Decoding the Greenshot Vulnerability
Greenshot fails to adequately validate the integrity of data it receives via this method, using the unsafe BinaryFormatter.Deserialize to handle the data. Without prior checks on whether the data comes from a trusted source, a local attacker can exploit this flaw. By sending a specially crafted WM_COPYDATA message to the Greenshot main window, malicious code can be executed directly within the Greenshot process.
The official security advisory from Greenshot’s developers explained that the vulnerability is tied to how the WndProc function in the WinForms application handles the WM_COPYDATA message. The function passes incoming data straight to the BinaryFormatter.Deserialize method, which is inherently unsafe for untrusted data.
Key Technical Details
The vulnerability stems from how Greenshot deserializes attacker-controlled data without verifying whether the sender is authorized. Since the BinaryFormatter can instantiate arbitrary types, an attacker could trigger malicious code execution within the Greenshot process. This flaw is critical because it allows a local process, running with equivalent or higher user privileges, to execute arbitrary code in the context of the Greenshot application, a trusted, signed process.
The exploit bypasses the application’s internal security checks by executing the code before any authorization checks take place. Notably, the check for trusted channels occurs after deserialization, meaning an attacker could run arbitrary gadget chains regardless of channel membership.
This issue is particularly dangerous because execution happens in-process under Greenshot.exe, a trusted and signed binary. Such an approach makes it easier for an attacker to avoid detection by traditional security mechanisms such as AppLocker or Windows Defender Application Control (WDAC), which typically focus on preventing unapproved executables from running.
Solution and Mitigation
Greenshot developers have acknowledged the vulnerability and released an update to address the flaw. The new version, Greenshot 1.3.301, patches the vulnerability by improving the handling of the WM_COPYDATA message and deserialization processes. Users are strongly advised to upgrade to this new version immediately to protect their systems from potential exploitation.
Until the update is applied, there are no known workarounds or mitigations available for this vulnerability. Therefore, the safest course of action for users of Greenshot 1.3.300 and earlier versions is to upgrade to version 1.3.301 as soon as possible to protect against malicious exploitation.
