CVE-2018-25237
Published: 03 April 2026
Summary
CVE-2018-25237 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Belden (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2018-25237 is a buffer overflow vulnerability (CWE-120) in Hirschmann HiSecOS devices versions prior to 05.3.03. The flaw exists in the HTTPS login interface when RADIUS authentication is enabled, stemming from improper bounds checking in password handling. Remote attackers can trigger the overflow by submitting a password longer than 128 characters, corrupting a fixed-size buffer.
This vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no required privileges or user interaction, and potential for high confidentiality, integrity, and availability impacts. Unauthenticated remote attackers can exploit it to crash the device, causing denial of service, or achieve arbitrary code execution.
Advisories detail mitigations, including the Belden Security Bulletin BSECV-2018-04 at https://assets.belden.com/m/2d5657b3e5d721c6/original/Security-Bulletin-RADIUS-Authentication-BSECV-2018-04.pdf and the VulnCheck advisory at https://www.vulncheck.com/advisories/hirschmann-hisecos-buffer-overflow-via-https-login.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21728
Vulnerability details
Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in the HTTPS login interface when RADIUS authentication is enabled that allows remote attackers to crash the device or execute arbitrary code by submitting a password longer than…
more
128 characters. Attackers can exploit improper bounds checking in password handling to overflow a fixed-size buffer and achieve denial of service or remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in unauthenticated HTTPS login interface of network device directly enables remote exploitation for RCE or DoS via public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs including password lengths to prevent buffer overflows from oversized submissions in the HTTPS login interface.
Implements memory protection mechanisms like stack guards and non-executable memory to mitigate exploitation of buffer overflows for code execution or crashes.
Mandates timely flaw remediation through patching the known buffer overflow vulnerability in Hirschmann HiSecOS devices.