Cyber Resilience

CVE-2018-25265

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 10.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25265 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Lizardsystems Lanspy. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2018-25265 is a local buffer overflow vulnerability (CWE-787) affecting LanSpy version 2.0.1.159 in its scan section. The flaw enables local attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Attackers can craft malicious payloads incorporating egghunter techniques to locate shellcode, followed by SEH chain manipulation and controlled jumps to trigger execution. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-22.

Local attackers with access to the system can exploit this vulnerability without requiring privileges (PR:N) or user interaction (UI:N). By sending a specially crafted input to the scan section, they trigger the buffer overflow, overwrite the SEH chain, and achieve arbitrary code execution with high confidentiality, integrity, and availability impacts.

Advisories and references, including the vendor site at https://lizardsystems.com, a proof-of-concept exploit at https://www.exploit-db.com/exploits/46018, and a VulnCheck advisory at https://www.vulncheck.com/advisories/lanspy-local-buffer-overflow, document the issue and exploitation details but do not specify mitigations or patches in the available information.

EU & UK References

Vulnerability details

LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering…

more

code execution through SEH chain manipulation and controlled jumps.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local buffer overflow with SEH overwrite directly enables arbitrary code execution by an unprivileged local attacker, mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25268Same product: Lizardsystems Lanspy
CVE-2018-25259Same vendor: Lizardsystems
CVE-2016-20044Shared CWE-787
CVE-2026-23326Shared CWE-787
CVE-2024-43077Shared CWE-787
CVE-2024-53697Shared CWE-787
CVE-2025-20890Shared CWE-787
CVE-2026-23073Shared CWE-787
CVE-2025-20708Shared CWE-787
CVE-2025-1471Shared CWE-787

Affected Assets

lizardsystems
lanspy
≤ 2.0.1.159

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents buffer overflows by validating the format, length, and content of inputs to the scan section, blocking specially crafted payloads.

prevent

Enforces memory protections such as ASLR, DEP, and stack canaries that disrupt SEH chain overwrites and egghunter shellcode execution in buffer overflow exploits.

prevent

Mandates timely flaw remediation, including patching or replacing LanSpy to eliminate the specific buffer overflow vulnerability.

References