Security readout for executives and security teams
Plain-English summary
Terminal Services Manager 3.1 has a high-severity memory corruption flaw. A malicious computer-list input can crash the application and redirect execution, potentially running attacker-controlled code. The issue matters most where administrators still use this older tool on privileged workstations or servers.
Executive priority
Prioritize discovery and containment on privileged administrator machines. If version 3.1 is present, treat it as a high-risk legacy tool until vendor guidance or removal resolves exposure.
Technical view
The source bundle describes a stack-based buffer overflow in the computer names field, leading to SEH overwrite during import through the add computers wizard. Public Exploit-DB and VulnCheck references exist. The CVE metadata lists CWE-306, but the described weakness is buffer overflow/SEH behavior, so classification evidence is inconsistent.
Likely exposure
Exposure is likely limited to environments running Lizardsystems Terminal Services Manager version 3.1. Risk increases if the tool is used on administrator systems or processes files from untrusted sources.
Exploitation context
The source bundle includes a public exploit reference, but CISA KEV is false and no provided source confirms active exploitation. The described attack is local and input-file driven, not a remote network service attack.
Researcher notes
Evidence supports a local stack overflow with SEH overwrite in Terminal Services Manager 3.1 and public exploit availability. The record does not provide a vendor patch, affected CPEs, or confirmed exploitation in the wild.
Mitigation direction
- Inventory systems for Terminal Services Manager 3.1.
- Restrict use of the add computers import function to trusted files only.
- Run the tool with least necessary privileges where possible.
- Check Lizardsystems guidance for updates, replacements, or vendor-recommended mitigations.
- Remove the software if it is no longer required.
Validation and detection
- Confirm whether Terminal Services Manager is installed.
- Verify installed version is 3.1 or another affected release named by vendor guidance.
- Review administrative workstations and servers first.
- Check file-handling workflows for untrusted computer-name imports.
- Monitor vendor and CVE sources for updated remediation details.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2018-25259 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.6 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
8.6HighVector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- ExploitDB-46058CVE reference · exploit
- Official Product HomepageCVE reference · product
- VulnCheck Advisory: Terminal Services Manager 3.1 Buffer Overflow SEHCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
