CVE-2018-25241
Received Received - Intake
Denial of Service in Microsoft VPN Browser+ via Oversized Search Input

Publication date: 2026-04-04

Last updated on: 2026-04-04

Assigner: VulnCheck

Description
VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-04
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25241
EUVD
EUVD-2018-21736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microsoft vpn_browser to 1.1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Microsoft VPN Browser+ version 1.1.0.0 contains a denial of service (DoS) vulnerability that allows unauthenticated attackers to crash the application by submitting an oversized input buffer through the search functionality.

Attackers can paste a large number of characters into the search bar, triggering an unhandled exception that causes the application to terminate unexpectedly.

This vulnerability is remotely exploitable without authentication or user interaction and results in a high impact on the application's availability.

Compliance Impact

The provided information does not specify any direct impact of this denial of service vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause the Microsoft VPN Browser+ application to crash unexpectedly, resulting in a denial of service.

Since the application becomes unavailable, users relying on it for VPN connectivity or related functions may experience interruptions or loss of service.

The vulnerability can be exploited remotely by unauthenticated attackers without any user interaction, making it easier to disrupt service.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the denial of service condition on the VPN Browser+ application. Specifically, you can test the search functionality by submitting an oversized input buffer.

One practical method is to create a large payload of characters (e.g., 5800 "A" characters) and paste it into the search bar of VPN Browser+. If the application crashes or terminates unexpectedly, it indicates the presence of the vulnerability.

A sample command to generate such a payload file on a system with Python installed is:

  • python -c "print('A'*5800)" > PoC.txt

You can then open the PoC.txt file, copy its contents, and paste it into the VPN Browser+ search bar to test for the crash.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid using the search functionality in VPN Browser+ with untrusted or oversized input.

Since the vulnerability allows unauthenticated remote attackers to crash the application by submitting large input buffers, restricting access to the VPN Browser+ application or disabling the search feature temporarily can reduce risk.

Additionally, monitor for updates or patches from the vendor that address this denial of service vulnerability and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart