Cyber Resilience

CVE-2018-25246

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25246 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-25246 is a denial of service vulnerability affecting Wikipedia 12.0. The flaw enables unauthenticated attackers to crash the application by submitting oversized input through the search functionality, such as pasting a large buffer of repeated characters into the search bar. It carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-306.

Unauthenticated attackers with network access can exploit the vulnerability remotely and with low complexity, requiring no privileges or user interaction. Successful exploitation leads to an application crash, resulting in high-impact denial of service by disrupting availability for affected users.

Advisories and related resources are available at https://www.exploit-db.com/exploits/45324 and https://www.microsoft.com/en-us/p/wikipedia/9wzdncrfhwm4?activetab=pivot%3aoverviewtab, which document the issue and include an exploit on Exploit-DB.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against unpatched instances of the Wikipedia 12.0 application.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of repeated characters into the search bar to trigger an…

more

application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a remote unauthenticated DoS via oversized search input that crashes the application, directly mapping to application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55222Shared CWE-306
CVE-2018-25241Shared CWE-306
CVE-2024-48882Shared CWE-306
CVE-2025-55221Shared CWE-306
CVE-2025-15620Shared CWE-306
CVE-2025-23417Shared CWE-306
CVE-2019-25686Shared CWE-306
CVE-2026-34731Shared CWE-306
CVE-2025-26361Shared CWE-306
CVE-2024-8053Shared CWE-306

Affected Assets

Microsoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents application crashes from oversized search inputs by requiring validation and sanitization of external inputs.

prevent

Restricts input quantities such as oversized buffers in the search functionality to block denial-of-service exploits.

prevent

Provides specific protections against denial-of-service attacks like those exploiting oversized inputs to crash the application.

References