Cyber Resilience

CVE-2018-25108

HighDDoS

Published: 16 January 2025

Published
16 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0118 79.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25108 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vde (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2018-25108 is a vulnerability characterized by uncontrolled resource consumption (CWE-770), enabling an unauthenticated remote attacker to cause a Denial of Service (DoS) condition in the controller. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability. It was published on 2025-01-16.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges or user interaction required. Successful exploitation results in significant resource exhaustion, leading to a DoS that disrupts the controller's functionality.

The advisory at https://cert.vde.com/en/advisories/VDE-2018-013 provides details on mitigation strategies for this vulnerability.

EU & UK References

Vulnerability details

An unauthenticated remote attacker can cause a DoS in the controller due to uncontrolled resource consumption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables direct exploitation of a resource exhaustion flaw for application/service DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2025-0189Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

Vde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 enforces denial-of-service protections that directly mitigate uncontrolled resource consumption by unauthenticated remote attackers.

prevent

SC-6 protects system resource availability against unauthorized consumption, addressing the core CWE-770 issue in this CVE.

prevent

SC-14 provides protections against DoS events specifically at public access interfaces exploited by unauthenticated remote attackers.

References