CVE-2018-25254
Published: 04 April 2026
Summary
CVE-2018-25254 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Nico-Ftp Project Nico-Ftp. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2018-25254 is a structured exception handler (SEH) buffer overflow vulnerability (CWE-787) in NICO-FTP version 3.0.1.19. The flaw resides in the FTP server component, where sending oversized data in response handlers triggers a buffer overflow, enabling attackers to overwrite SEH pointers.
Unauthenticated remote attackers can exploit this vulnerability over the network by connecting to the exposed FTP service and transmitting crafted FTP commands with oversized payloads. Successful exploitation allows redirection of execution flow to injected shellcode, resulting in arbitrary code execution on the target system. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its ease of exploitation and high impact.
References include an Exploit-DB entry (https://www.exploit-db.com/exploits/45442) providing a public proof-of-concept, a VulnCheck advisory (https://www.vulncheck.com/advisories/nico-ftp-buffer-overflow-seh) detailing the SEH buffer overflow, and a Softonic download page (https://en.softonic.com/download/nico-ftp/windows/post-download). No patches or specific mitigations are described in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21760
Vulnerability details
NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to the FTP service and send oversized data in response handlers to overwrite SEH…
more
pointers and redirect execution to injected shellcode.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a buffer overflow in a public-facing FTP server enabling unauthenticated remote code execution via crafted commands, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the buffer overflow flaw in NICO-FTP by applying patches, updates, or removing the vulnerable software directly prevents exploitation of CVE-2018-25254.
Memory protection mechanisms like DEP, ASLR, and stack canaries mitigate SEH pointer overwrites and arbitrary code execution from the buffer overflow in NICO-FTP.
Validating FTP command inputs for size and structure prevents oversized payloads from triggering the buffer overflow vulnerability in NICO-FTP response handlers.