{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/arm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25432"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Whois 3.11"],"_cs_severities":["high"],"_cs_tags":["buffer overflow","seh overwrite","cve-2018-25432"],"_cs_type":"advisory","_cs_vendors":["Arm"],"content_html":"\u003cp\u003eArm Whois 3.11 is vulnerable to a buffer overflow (CVE-2018-25432) that can be exploited by local attackers. The vulnerability stems from insufficient bounds checking when processing input files. An attacker can leverage this flaw to overwrite the structured exception handler (SEH), enabling arbitrary code execution. The vulnerability was reported in 2026 and affects version 3.11 of Arm Whois. Successful exploitation requires the attacker to have local access to the system and the ability to supply a malicious input file to the vulnerable application. This poses a significant risk to systems running Arm Whois 3.11, as it allows for privilege escalation and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system running Arm Whois 3.11.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input file containing a buffer overflow payload. This payload includes a 672-byte offset designed to overwrite the nSEH and SEH pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker executes Arm Whois 3.11, providing the malicious input file as an argument or through other input mechanisms.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper bounds checking, the input file is processed without validation.\u003c/li\u003e\n\u003cli\u003eThe 672-byte offset in the malicious input overwrites the nSEH and SEH pointers in memory.\u003c/li\u003e\n\u003cli\u003eAn exception is triggered within Arm Whois 3.11.\u003c/li\u003e\n\u003cli\u003eThe overwritten SEH is invoked, redirecting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code with the privileges of the Arm Whois process, potentially escalating privileges and compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2018-25432) allows a local attacker to execute arbitrary code on the target system. This can lead to privilege escalation, allowing the attacker to gain elevated access and control over the affected machine. The impact includes potential data theft, system compromise, and the installation of malware. The vulnerability poses a significant risk to any system running the vulnerable version of Arm Whois.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for instances of \u003ccode\u003earm-whois.exe\u003c/code\u003e and consider blocking execution until patched (reference affected products).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts by monitoring process creation events related to \u003ccode\u003earm-whois.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates for Arm Whois 3.11 to remediate the buffer overflow vulnerability (CVE-2018-25432) as provided by the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T22:18:20Z","date_published":"2026-06-01T22:18:20Z","id":"https://feed.craftedsignal.io/briefs/2026-06-cve-2018-25432-arm-whois-buffer-overflow/","summary":"Arm Whois 3.11 contains a buffer overflow vulnerability (CVE-2018-25432) that allows local attackers to execute arbitrary code by overwriting the structured exception handler via a crafted input file.","title":"CVE-2018-25432: Arm Whois 3.11 Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-cve-2018-25432-arm-whois-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25427"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Whois 3.11"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","rce","CVE-2018-25427"],"_cs_type":"advisory","_cs_vendors":["Arm"],"content_html":"\u003cp\u003eArm Whois 3.11 is susceptible to a stack-based buffer overflow vulnerability. This flaw allows a remote attacker to execute arbitrary code on a vulnerable system. The vulnerability, identified as CVE-2018-25427, arises from insufficient input validation when processing the IP address or domain field. By supplying an oversized input string exceeding 658 bytes, an attacker can overwrite the structured exception handler (SEH) and gain control of program execution. This vulnerability was disclosed on June 1, 2026. Successful exploitation leads to arbitrary code execution within the context of the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Arm Whois 3.11 instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input string exceeding 658 bytes. This string includes shellcode designed to execute arbitrary commands on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious input to the Arm Whois application, targeting the IP address or domain field.\u003c/li\u003e\n\u003cli\u003eThe Arm Whois application receives the input and attempts to process it without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized input overflows the stack buffer, overwriting the Structured Exception Handler (SEH) pointer.\u003c/li\u003e\n\u003cli\u003eWhen an exception occurs (triggered intentionally or unintentionally), the application attempts to use the overwritten SEH pointer.\u003c/li\u003e\n\u003cli\u003eThe execution flow is redirected to the attacker-controlled shellcode.\u003c/li\u003e\n\u003cli\u003eThe shellcode executes, granting the attacker arbitrary code execution within the context of the Arm Whois application, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25427 allows remote attackers to execute arbitrary code on systems running Arm Whois 3.11. This could lead to complete system compromise, data theft, or denial of service. Given the severity of the vulnerability (CVSS 9.8), it poses a significant risk to organizations using the affected software. The attacker gains full control of the vulnerable host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a supported version of Arm Whois to remediate CVE-2018-25427.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Arm Whois Buffer Overflow Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability via oversized input.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually long strings being sent to Arm Whois services, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T22:17:07Z","date_published":"2026-06-01T22:17:07Z","id":"https://feed.craftedsignal.io/briefs/2026-06-arm-whois-overflow/","summary":"Arm Whois 3.11 is vulnerable to a stack-based buffer overflow (CVE-2018-25427) allowing remote attackers to execute arbitrary code by providing oversized input to the IP address or domain field.","title":"Arm Whois 3.11 Stack-Based Buffer Overflow Vulnerability (CVE-2018-25427)","url":"https://feed.craftedsignal.io/briefs/2026-06-arm-whois-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Arm","version":"https://jsonfeed.org/version/1.1"}