Cyber Resilience

CVE-2018-25254

CriticalPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 55.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25254 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Nico-Ftp Project Nico-Ftp. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2018-25254 is a structured exception handler (SEH) buffer overflow vulnerability (CWE-787) in NICO-FTP version 3.0.1.19. The flaw resides in the FTP server component, where sending oversized data in response handlers triggers a buffer overflow, enabling attackers to overwrite SEH pointers.

Unauthenticated remote attackers can exploit this vulnerability over the network by connecting to the exposed FTP service and transmitting crafted FTP commands with oversized payloads. Successful exploitation allows redirection of execution flow to injected shellcode, resulting in arbitrary code execution on the target system. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its ease of exploitation and high impact.

References include an Exploit-DB entry (https://www.exploit-db.com/exploits/45442) providing a public proof-of-concept, a VulnCheck advisory (https://www.vulncheck.com/advisories/nico-ftp-buffer-overflow-seh) detailing the SEH buffer overflow, and a Softonic download page (https://en.softonic.com/download/nico-ftp/windows/post-download). No patches or specific mitigations are described in the provided information.

EU & UK References

Vulnerability details

NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to the FTP service and send oversized data in response handlers to overwrite SEH…

more

pointers and redirect execution to injected shellcode.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a buffer overflow in a public-facing FTP server enabling unauthenticated remote code execution via crafted commands, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787
CVE-2025-25746Shared CWE-787

Affected Assets

nico-ftp project
nico-ftp
≤ 3.0.1.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the buffer overflow flaw in NICO-FTP by applying patches, updates, or removing the vulnerable software directly prevents exploitation of CVE-2018-25254.

prevent

Memory protection mechanisms like DEP, ASLR, and stack canaries mitigate SEH pointer overwrites and arbitrary code execution from the buffer overflow in NICO-FTP.

prevent

Validating FTP command inputs for size and structure prevents oversized payloads from triggering the buffer overflow vulnerability in NICO-FTP response handlers.

References