Cyber Resilience

CVE-2018-25218

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 11.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25218 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Passfab Rar Password Recovery. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

PassFab RAR Password Recovery version 9.3.2 is affected by CVE-2018-25218, a structured exception handler (SEH) buffer overflow vulnerability classified under CWE-787. This flaw enables local attackers to execute arbitrary code by supplying a malicious payload that overflows a buffer in the application's registration process. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts from a low-complexity local attack requiring no privileges or user interaction.

A local attacker can exploit this vulnerability by crafting a payload incorporating a buffer overflow, next SEH (NSEH) jump, and shellcode, then pasting it into the 'Licensed E-mail and Registration Code' field during the software's registration procedure. Successful exploitation triggers the SEH overflow, allowing arbitrary code execution with the privileges of the running process, potentially leading to full system compromise on the affected Windows system.

Advisories and references, including a detailed exploit on Exploit-DB (exploit 46008) and a Vulncheck advisory, document the issue and proof-of-concept exploitation details. Vendor pages for PassFab RAR Password Recovery provide download and product information, but no specific patches or mitigations are outlined in the available references. Security practitioners should advise against using version 9.3.2 and recommend isolating or replacing the software.

EU & UK References

Vulnerability details

PassFab RAR Password Recovery 9.3.2 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Attackers can craft a payload with a buffer overflow, NSEH jump, and shellcode,…

more

then paste it into the 'Licensed E-mail and Registration Code' field during registration to trigger code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

SEH buffer overflow in desktop client app directly enables local arbitrary code execution via crafted input to registration fields (CWE-787).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25219Same vendor: Passfab
CVE-2019-25705Shared CWE-787
CVE-2019-25633Shared CWE-787
CVE-2026-0538Shared CWE-787
CVE-2016-20046Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2019-25695Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2019-25612Shared CWE-787
CVE-2025-43300Shared CWE-787

Affected Assets

passfab
rar password recovery
≤ 9.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the known SEH buffer overflow vulnerability in PassFab RAR Password Recovery 9.3.2 through patching, updating, or removal to eliminate the exploitable flaw.

prevent

Implements memory protection mechanisms such as DEP, ASLR, and stack canaries to block arbitrary code execution from crafted SEH buffer overflow payloads.

prevent

Mandates validation of user inputs in the 'Licensed E-mail and Registration Code' field to reject oversized or malformed payloads that trigger the buffer overflow.

References