CVE-2018-25345 Overview
CVE-2018-25345 is a local buffer overflow vulnerability in 10-Strike Network Scanner 3.0. The flaw resides in the host name field and allows attackers to bypass Structured Exception Handler (SafeSEH) protections to execute arbitrary code. An attacker crafts a malicious payload in the host name or address field and triggers the overflow through the Trace route or System information functions. Successful exploitation results in arbitrary code execution in the context of the user running the scanner. The vulnerability is classified under [CWE-120] Buffer Copy without Checking Size of Input.
Critical Impact
Local attackers can bypass SafeSEH protections and execute arbitrary code on systems running 10-Strike Network Scanner 3.0.
Affected Products
- 10-Strike Network Scanner 3.0
Discovery Timeline
- 2026-05-23 - CVE-2018-25345 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2018-25345
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow triggered when 10-Strike Network Scanner 3.0 processes user-supplied input in the host name or address field. The application copies input into a fixed-size buffer without validating its length. Oversized input overwrites the saved exception handler record on the stack.
Because the affected binary was compiled without SafeSEH protection on relevant modules, attackers can overwrite the SEH chain and redirect execution to controlled code. The vulnerability is reachable through the Trace route function and the System information function within the application. Exploitation yields code execution at the privilege level of the local user running the scanner.
Root Cause
The root cause is missing bounds checking on the host name and address input fields [CWE-120]. The application does not enforce length limits before copying the value to a stack buffer. This permits adjacent stack data, including the structured exception handler pointer, to be overwritten with attacker-controlled values.
Attack Vector
The attack vector is local. An attacker supplies a crafted payload to the host name or address field, then invokes the Trace route or System information feature to trigger the parsing path. The overflow corrupts the SEH chain, and execution is redirected when an exception is raised during input handling. Technical details and a proof-of-concept are documented at Exploit-DB #44841 and the VulnCheck Advisory on 10-Strike.
Detection Methods for CVE-2018-25345
Indicators of Compromise
- Unexpected child processes spawned by the 10-Strike Network Scanner executable.
- Crash dumps or Windows Error Reporting events referencing the scanner process with access violation exceptions in SEH handling.
- Unusual outbound network connections originating from the scanner process following Trace route or System information actions.
Detection Strategies
- Monitor for process anomalies where the 10-Strike Network Scanner spawns shells (cmd.exe, powershell.exe) or other interpreters.
- Detect SEH-based exploitation patterns through endpoint behavioral analytics that flag stack pivoting or non-image code execution.
- Alert on application crashes followed by code execution within the same process tree.
Monitoring Recommendations
- Inventory endpoints running 10-Strike Network Scanner 3.0 and apply elevated logging to those hosts.
- Collect Windows Application and Security event logs for faulting module entries naming the scanner binary.
- Ingest EDR telemetry into a centralized data lake to correlate scanner crashes with subsequent process creation events.
How to Mitigate CVE-2018-25345
Immediate Actions Required
- Remove or restrict access to 10-Strike Network Scanner 3.0 on production endpoints until a patched release is verified.
- Restrict execution of the scanner to administrators in controlled environments only.
- Block untrusted input files or configuration sources that supply host names to the application.
Patch Information
No vendor patch is referenced in the available CVE data. Consult the 10-Strike Company Overview page for the latest product releases and confirm whether a fixed version has been issued before redeploying the software.
Workarounds
- Upgrade to a supported, vendor-patched release of 10-Strike Network Scanner if available.
- Run the application under a low-privilege account to limit the impact of code execution.
- Avoid pasting or importing untrusted host name or address values into the scanner input fields.
- Enforce application allow-listing to prevent unauthorized execution of the vulnerable binary.
# Configuration example: block execution via Windows AppLocker (PowerShell)
New-AppLockerPolicy -RuleType Path -User Everyone -Action Deny `
-Path "C:\Program Files (x86)\10-Strike Network Scanner\*" `
| Set-AppLockerPolicy -Merge
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
