📄 Description (English)
Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition.
🤖 AI Executive Summary
CVE-2018-25285 is a buffer overflow vulnerability in Fathom 2.4 affecting the Authorization Code field, allowing local attackers to cause denial of service by submitting oversized input strings. With no available patch and no public exploit, the risk is moderate but requires immediate mitigation through input validation controls. Organizations using Fathom 2.4 should prioritize upgrading to newer versions or implementing compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 25, 2026 05:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government agencies, financial institutions, and enterprises using Fathom 2.4 for authentication and authorization management. Government entities under NCA oversight and SAMA-regulated financial institutions are at moderate risk of service disruption. The local-only attack vector limits exposure but could be exploited by insider threats or compromised accounts within organizational networks. Telecom and energy sectors using Fathom for access control face operational continuity risks.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Enterprise IT
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running Fathom 2.4 across your organization
2. Restrict local access to Fathom 2.4 applications through network segmentation and access controls
3. Implement input validation and length restrictions on the Authorization Code field (maximum 256 bytes recommended)
4. Enable application logging and monitoring for oversized input attempts
Patching Guidance:
5. Upgrade to Fathom 3.0 or later versions immediately
6. If upgrade is not immediately possible, apply vendor security patches when available
Compensating Controls:
7. Implement Web Application Firewall (WAF) rules to block requests with Authorization Code fields exceeding safe length thresholds
8. Deploy runtime application self-protection (RASP) to detect and block buffer overflow attempts
9. Restrict Fathom 2.4 access to trusted internal networks only
10. Implement rate limiting on Authorization Code submission endpoints
Detection Rules:
11. Monitor for HTTP requests with Authorization Code parameters exceeding 1000 bytes
12. Alert on application crashes or service restarts correlated with oversized input submissions
13. Log all failed authorization attempts with payload size analysis
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ Fathom 2.4 عبر مؤسستك
2. تقييد الوصول المحلي إلى تطبيقات Fathom 2.4 من خلال تقسيم الشبكة وعناصر التحكم في الوصول
3. تنفيذ التحقق من الإدخال وقيود الطول على حقل رمز التفويض (يُنصح بحد أقصى 256 بايت)
4. تفعيل تسجيل التطبيق والمراقبة لمحاولات الإدخال الكبيرة الحجم
إرشادات التصحيح:
5. الترقية إلى Fathom 3.0 أو إصدارات أحدث على الفور
6. إذا لم تكن الترقية ممكنة على الفور، طبق رقع الأمان من البائع عند توفرها
عناصر التحكم التعويضية:
7. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تتجاوز حدود طول رمز التفويض الآمنة
8. نشر الحماية الذاتية لتطبيقات وقت التشغيل (RASP) للكشف عن محاولات تجاوز المخزن المؤقت وحظرها
9. تقييد وصول Fathom 2.4 إلى الشبكات الداخلية الموثوقة فقط
10. تنفيذ تحديد معدل على نقاط نهاية تقديم رمز التفويض
قواعد الكشف:
11. مراقبة طلبات HTTP برموز تفويض تتجاوز 1000 بايت
12. التنبيه على أعطال التطبيق أو إعادة تشغيل الخدمة المرتبطة بتقديم إدخال كبير الحجم
13. تسجيل جميع محاولات التفويض الفاشلة مع تحليل حجم الحمولة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Security awareness and training for secure coding
DE.CM-8 - Vulnerability scans and assessments
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy and procedures
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
6.2 - Ensure security patches are installed
6.5.1 - Injection flaws prevention
11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://fathom.concord.org/
disclosure@vulncheck.com
https://fathom.concord.org/download/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/45294
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/fathom-denial-of-service-via-authorization-code-bu...
disclosure@vulncheck.com