CVE-2018-25299: Prime95 Local Buffer Overflow Allows Arbitrary Code Execution
The National Vulnerability Database highlights CVE-2018-25299, a high-severity local buffer overflow in Prime95 version 29.4b8. This flaw allows attackers to execute arbitrary code by manipulating structured exception handling (SEH) mechanisms. The vulnerability is triggered through the optional proxy hostname field within PrimeNet connection settings.
Attackers can inject malicious payloads into this field, causing a buffer overflow that then leverages SEH to execute system commands. While requiring local access, the impact is significant given the potential for full system compromise. The National Vulnerability Database assigns this a CVSS score of 8.4 (HIGH) with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
This isn’t a remote exploit, but it’s a critical local privilege escalation vector. Once an attacker has a foothold on a system, this vulnerability provides a clear path to elevated privileges and arbitrary code execution. Defenders need to recognize that even local vulnerabilities can have devastating consequences when combined with initial access tactics.
What This Means For You
- If Prime95 29.4b8 or earlier versions are present in your environment, particularly on developer or testing workstations, you need to assess this risk. This vulnerability allows for arbitrary code execution and full system compromise once local access is achieved. Patch or upgrade Prime95 immediately to mitigate this local privilege escalation vector.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25299: Prime95 Local Buffer Overflow via Proxy Hostname
title: CVE-2018-25299: Prime95 Local Buffer Overflow via Proxy Hostname
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects the execution of Prime95 with a command-line argument that attempts to exploit the CVE-2018-25299 buffer overflow vulnerability. The vulnerability allows for arbitrary code execution by injecting malicious payload through the optional proxy hostname field in the PrimeNet connection settings, triggering SEH overflow.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25299/
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'prime95.exe'
CommandLine|contains:
- 'proxyhostname=' # This is a hypothetical value based on the description, actual exploit might use different parameter naming or direct injection
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25299 | Buffer Overflow | Prime95 version 29.4b8 |
| CVE-2018-25299 | RCE | Exploitation of structured exception handling (SEH) mechanisms |
| CVE-2018-25299 | Code Injection | Malicious payload injection via optional proxy hostname field in PrimeNet connection settings |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...