Cyber Resilience

CVE-2018-25259

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 8.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25259 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Lizardsystems Terminal Services Manager. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

Terminal Services Manager 3.1 is affected by CVE-2018-25259, a stack-based buffer overflow vulnerability in the computer names field. This flaw allows local attackers to execute arbitrary code by triggering structured exception handling (SEH). Specifically, attackers can craft a malicious input file containing shellcode and jump instructions that overwrite the SEH handler pointer, leading to code execution when the file is imported through the add computers wizard.

Local unprivileged attackers (AV:L/PR:N) can exploit this vulnerability with low complexity and no user interaction required (AC:L/UI:N), achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) under CVSS 3.1 scoring of 8.4. By preparing a specially crafted input file, an attacker gains the ability to execute payloads such as calc.exe or other arbitrary code upon import, potentially leading to full system compromise from a local access position.

Advisories and proof-of-concept exploits for this vulnerability are documented in references including the vendor site at https://lizardsystems.com, Exploit-DB at https://www.exploit-db.com/exploits/46058, and VulnCheck at https://www.vulncheck.com/advisories/terminal-services-manager-buffer-overflow-seh. No specific patch or mitigation details are outlined in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions…

more

that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow with SEH overwrite in local file import directly enables arbitrary code execution from unprivileged local access, mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25268Same vendor: Lizardsystems
CVE-2018-25265Same vendor: Lizardsystems
CVE-2025-48572Shared CWE-306
CVE-2026-26160Shared CWE-306
CVE-2026-24068Shared CWE-306
CVE-2026-6348Shared CWE-306
CVE-2026-24062Shared CWE-306
CVE-2026-33788Shared CWE-306
CVE-2026-20803Shared CWE-306
CVE-2026-0492Shared CWE-306

Affected Assets

lizardsystems
terminal services manager
≤ 3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates identification, prioritization, and remediation of flaws like the buffer overflow in CVE-2018-25259, directly preventing exploitation through patching or removal.

prevent

SI-16 enforces memory protections such as stack canaries, ASLR, and DEP that block arbitrary code execution from SEH overwrites in stack-based buffer overflows.

prevent

SI-10 requires validation of information inputs like the computer names field in imported files, preventing buffer overflows from oversized or malformed data.

References