Arm Whois 3.11 contains a critical stack-based buffer overflow (CVSS 9.8) that lets an attacker execute arbitrary code by coercing the client to process a crafted WHOIS response or input, overwriting the structured exception handler.
What Is It
CVE-2018-25427 is a stack-based buffer overflow (CWE-121) in Arm Whois version 3.11, a Windows-based WHOIS lookup client. The flaw lives in the application's handling of the IP address or domain input field. Supplying input exceeding 658 bytes, padded with shellcode, overwrites the structured exception handler (SEH) on the stack. When the application subsequently processes the malformed input and triggers an exception, control transfers to attacker-supplied code, yielding arbitrary command execution in the context of the running user.
Because Arm Whois is a client-side desktop utility rather than a listening network service, exploitation requires the victim to run the client against attacker-influenced input, for example, by querying an attacker-controlled domain or being induced to submit malicious input, rather than the attacker reaching the application unsolicited over the network.
Why It Matters
The CVSS 3.1 base score published in the NVD record is 9.8 (Critical), with a CVSS 4.0 secondary score of 9.3. The published vector lists attack vector as network (AV:N), complexity low (AC:L), no privileges required (PR:N), and no user interaction (UI:N), with High impact to confidentiality, integrity, and availability. In practice, the client-side nature of the application means real-world exploitation depends on the victim invoking the vulnerable client against malicious input; a nuance the headline score does not capture.
A public exploit is available on Exploit-DB (entry 45796), lowering the bar for opportunistic abuse. The SEH-overwrite technique is well understood and, based on the public proof-of-concept, appears workable against the affected Windows binary, though reliability in the wild will depend on the target environment (OS version, SEH protections, and binary build). No CISA KEV listing accompanies this CVE in the supplied material, so active in-the-wild exploitation is not confirmed by KEV at this time.
What's Vulnerable
- Product: Arm Whois (armcode.com), Windows desktop WHOIS client
- Version: 3.11
- Component: IP address / domain input field
- Weakness: CWE-121; Stack-based Buffer Overflow (SEH overwrite)
- Trigger threshold: Input exceeding 658 bytes processed by the client
The NVD record does not list affected CPEs beyond the description's reference to version 3.11.
Patch Status
The supplied source material does not reference a vendor patch, fixed version, or remediation guidance from armcode.com. Until a vendor fix is published, defenders should treat Arm Whois 3.11 as unsafe to use against untrusted input and consider removal or replacement with a maintained WHOIS client. Endpoint controls that block execution of the vulnerable binary, or application allowlisting, are reasonable interim mitigations given the client-side exposure.