CVE-2018-25328: VX Search Buffer Overflow Allows Code Execution
The National Vulnerability Database reports CVE-2018-25328, a high-severity local buffer overflow vulnerability in VX Search version 10.6.18. This flaw allows attackers to overwrite the instruction pointer by submitting an overly long string into the directory field. The vulnerability is rated 8.4 (HIGH) on the CVSS 3.1 scale, with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Attackers can leverage this by crafting a malicious input file. This file contains 271 bytes of junk data, followed by a return address, enabling the execution of arbitrary code. Crucially, this code executes with the privileges of the VX Search application itself. While the National Vulnerability Database does not specify affected products beyond VX Search 10.6.18, any system running this specific version is at risk.
This is a classic CWE-120 buffer overflow scenario. The attacker’s calculus is straightforward: gain local code execution, then pivot. For defenders, the implication is clear: unpatched instances provide an easy local privilege escalation or initial access vector if an attacker already has a foothold. This isn’t theoretical; it’s a well-understood attack primitive.
What This Means For You
- If your organization uses VX Search 10.6.18, you must prioritize patching or isolating this application immediately. This vulnerability allows for arbitrary code execution, which can lead to full system compromise if an attacker gains local access. Verify all instances of VX Search and ensure they are updated or removed.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25328: VX Search Directory Buffer Overflow
title: CVE-2018-25328: VX Search Directory Buffer Overflow
id: scw-2026-05-17-ai-1
status: experimental
level: critical
description: |
Detects the execution of VX Search (vxsearch.exe) with a command line argument that is indicative of the buffer overflow exploit for CVE-2018-25328. The vulnerability allows for arbitrary code execution by supplying an oversized string in the directory field, overwriting the instruction pointer.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25328/
tags:
- attack.execution
- attack.t1218
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'vxsearch.exe'
CommandLine|contains:
- 'C:\' # Placeholder for oversized string that overwrites instruction pointer
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25328 | Buffer Overflow | VX Search 10.6.18 |
| CVE-2018-25328 | RCE | VX Search 10.6.18 - local buffer overflow in directory field |
| CVE-2018-25328 | Code Injection | VX Search 10.6.18 - oversized string (271 bytes) in directory field to overwrite instruction pointer |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 17, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...