Free Download Manager CVE-2018-25304: Local Buffer Overflow Allows Code Execution
The National Vulnerability Database reports a local buffer overflow vulnerability, CVE-2018-25304, in Free Download Manager (FDM) 2.0 Built 417. This flaw resides in the URL import functionality and enables attackers to trigger a Structured Exception Handler (SEH) chain exploitation, achieving arbitrary code execution.
Attackers can craft a malicious URL file. When this file is imported via the application’s “File > Import > Import lists of downloads” menu, it causes a buffer overflow within the Location header response. This overwrites the SEH chain, ultimately leading to the execution of attacker-controlled code. The National Vulnerability Database assigns a CVSS score of 8.4 (HIGH) to this vulnerability.
While the National Vulnerability Database does not specify affected products beyond the version listed, the nature of this local vulnerability suggests that user interaction is a prerequisite for exploitation. Defenders should understand that this isn’t a remote, unauthenticated RCE, but rather a client-side attack vector that relies on social engineering or other means to get a user to import a malicious file.
What This Means For You
- If your organization uses Free Download Manager 2.0 Built 417, you need to assess this risk. This vulnerability allows local code execution, which can be devastating if an attacker can convince a user to import a malicious URL file. Verify if this specific version is in use and consider upgrading or implementing compensating controls to prevent the import of untrusted files.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Free Download Manager Local Buffer Overflow via Malicious URL Import - CVE-2018-25304
title: Free Download Manager Local Buffer Overflow via Malicious URL Import - CVE-2018-25304
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects the specific user-initiated action within Free Download Manager (FDM) that triggers the vulnerable URL import functionality. This is the primary indicator for the exploitation of CVE-2018-25304, which involves importing a malicious URL file via the 'File > Import > Import lists of downloads' menu, leading to a local buffer overflow and potential code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25304/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'Free Download Manager.exe'
CommandLine|contains:
- 'File > Import > Import lists of downloads'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25304 | Buffer Overflow | Free Download Manager 2.0 Built 417 |
| CVE-2018-25304 | RCE | URL import functionality via File > Import > Import lists of downloads menu |
| CVE-2018-25304 | Buffer Overflow | Location header response |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...