CVE-2018-25246
Published: 04 April 2026
Summary
CVE-2018-25246 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2018-25246 is a denial of service vulnerability affecting Wikipedia 12.0. The flaw enables unauthenticated attackers to crash the application by submitting oversized input through the search functionality, such as pasting a large buffer of repeated characters into the search bar. It carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-306.
Unauthenticated attackers with network access can exploit the vulnerability remotely and with low complexity, requiring no privileges or user interaction. Successful exploitation leads to an application crash, resulting in high-impact denial of service by disrupting availability for affected users.
Advisories and related resources are available at https://www.exploit-db.com/exploits/45324 and https://www.microsoft.com/en-us/p/wikipedia/9wzdncrfhwm4?activetab=pivot%3aoverviewtab, which document the issue and include an exploit on Exploit-DB.
A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against unpatched instances of the Wikipedia 12.0 application.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21765
Vulnerability details
Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of repeated characters into the search bar to trigger an…
more
application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated DoS via oversized search input that crashes the application, directly mapping to application exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents application crashes from oversized search inputs by requiring validation and sanitization of external inputs.
Restricts input quantities such as oversized buffers in the search functionality to block denial-of-service exploits.
Provides specific protections against denial-of-service attacks like those exploiting oversized inputs to crash the application.