Description
Softros LAN Messenger 9.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the custom log files location field. Attackers can input a buffer of 2000 characters in the Log Files Location custom path parameter to trigger a crash when the OK button is clicked.
Published: 2026-03-30
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (application crash)
Action: Immediate Patch
AI Analysis

Impact

A local attacker can cause Softros LAN Messenger 9.2 to crash by entering an overly long string, up to 2000 characters, into the custom Log Files Location field. The program terminates when the OK button is pressed, resulting in a loss of service for the user. The flaw is an imprecise buffer handling error (CWE-1285).

Affected Systems

The vulnerability is limited to Softros LAN Messenger version 9.2. Users of other versions are not mentioned as affected and therefore are considered safe unless newer releases contain similar code.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while the EPSS < 1% suggests that exploitation in the wild is unlikely. The flaw is not listed in the CISA KEV catalog, and no automated exploits are publicly available beyond the manual demonstration on Exploit‑DB. The attack requires local access to the application’s configuration interface, and it can be performed by any user who can launch the software and modify the log path. The resulting crash is a classic denial‑of‑service scenario.

Generated by OpenCVE AI on April 8, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Softros website or support portal for an official patch or newer version that removes the vulnerability.
  • If no patch is available, restrict local user rights so that only trusted administrators can change the Log Files Location setting.
  • As a temporary workaround, avoid entering unusually long custom log file paths; use the default location or a short, reasonable path that stays within typical filesystem limits.

Generated by OpenCVE AI on April 8, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Softros
Softros softros Lan Messenger
CPEs cpe:2.3:a:softros:softros_lan_messenger:*:*:*:*:*:*:*:*
Vendors & Products Softros
Softros softros Lan Messenger

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Messenger
Messenger softros Lan Messenger
Vendors & Products Messenger
Messenger softros Lan Messenger

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Softros LAN Messenger 9.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the custom log files location field. Attackers can input a buffer of 2000 characters in the Log Files Location custom path parameter to trigger a crash when the OK button is clicked.
Title Softros LAN Messenger 9.2 Denial of Service via Log Files Location
Weaknesses CWE-1285
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Messenger Softros Lan Messenger
Softros Softros Lan Messenger
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T15:59:46.180Z

Reserved: 2026-03-30T10:58:26.053Z

Link: CVE-2018-25232

cve-icon Vulnrichment

Updated: 2026-03-30T15:59:40.657Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:17.077

Modified: 2026-04-08T16:54:36.510

Link: CVE-2018-25232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:42Z

Weaknesses