{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2018-25251/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25251"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","code-execution","cve-2018-25251","snes9k"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSnes9K version 0.0.9z contains a buffer overflow vulnerability (CVE-2018-25251) within the Netplay functionality. Specifically, the application fails to properly validate the size of user-supplied input for the \u0026ldquo;Netplay Socket Port Number\u0026rdquo; field. By exploiting this vulnerability, a local attacker can overwrite the Structured Exception Handler (SEH) chain. Successful exploitation allows an attacker to execute arbitrary code within the context of the running Snes9K application, potentially leading to complete system compromise. The vulnerability resides within the Netplay Options menu, accessible from the Snes9K interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a system with Snes9K 0.0.9z installed.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the Snes9K application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;Netplay Options\u0026rdquo; menu within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u0026ldquo;Netplay Socket Port Number\u0026rdquo; field.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload designed to overwrite the SEH chain. This payload includes the address of the attacker\u0026rsquo;s shellcode.\u003c/li\u003e\n\u003cli\u003eThe attacker pastes the malicious payload into the \u0026ldquo;Netplay Socket Port Number\u0026rdquo; field, exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe application attempts to handle the overflow, triggering the SEH.\u003c/li\u003e\n\u003cli\u003eThe SEH is overwritten by the attacker\u0026rsquo;s payload, redirecting execution to the attacker\u0026rsquo;s shellcode. This results in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, and further lateral movement within the network. While the vulnerability requires local access, it could be leveraged as part of a more complex attack chain, for example, after initial access is gained through a separate vulnerability or social engineering.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the execution of Snes9K followed by unusual process creation, using the \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eMonitor for applications writing to Snes9K configuration files followed by the execution of Snes9K, using the \u003ccode\u003efile_event\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rules provided below.\u003c/li\u003e\n\u003cli\u003eConsider removing the vulnerable software from systems or restricting access to it until a patched version is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T14:16:21Z","date_published":"2026-04-04T14:16:21Z","id":"/briefs/2026-04-snes9k-overflow/","summary":"Snes9K 0.0.9z is vulnerable to a buffer overflow in the Netplay Socket Port Number field, enabling local attackers to execute arbitrary code via a crafted payload.","title":"Snes9K 0.0.9z Buffer Overflow Vulnerability (CVE-2018-25251)","url":"https://feed.craftedsignal.io/briefs/2026-04-snes9k-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2018-25251","version":"https://jsonfeed.org/version/1.1"}