CVE-2019-25327
📋 TL;DR
CVE-2019-25327 is a critical buffer overflow vulnerability in Prime95 version 29.8 build 6 that allows remote attackers to execute arbitrary code by crafting malicious payloads in user input fields. This affects users running the vulnerable version of Prime95, particularly those participating in the GIMPS distributed computing project. Successful exploitation can lead to complete system compromise.
💻 Affected Systems
- Prime95
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers gain remote shell access on port 3110, allowing them to execute commands, install malware, or pivot to other systems.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are applied, though local system compromise remains possible.
🎯 Exploit Status
Public exploit code is available on Exploit-DB (47802) demonstrating remote code execution via crafted payloads. The exploit triggers a bind shell on port 3110.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 29.8 build 7 and later
Vendor Advisory: https://www.mersenne.org/download/
Restart Required: Yes
Instructions:
1. Download the latest version from mersenne.org/download/. 2. Stop Prime95 service/process. 3. Install the updated version. 4. Restart Prime95 service/process.
🔧 Temporary Workarounds
Network Segmentation
allBlock inbound/outbound connections to port 3110 at network perimeter and host firewall
Windows: netsh advfirewall firewall add rule name="Block Prime95 Exploit" dir=in action=block protocol=TCP localport=3110
Linux: iptables -A INPUT -p tcp --dport 3110 -j DROP
Input Validation
allImplement application-level input validation for PrimeNet user ID and proxy host fields
🧯 If You Can't Patch
- Immediately isolate affected systems from network access, especially internet-facing connections
- Implement strict firewall rules to block all traffic to/from port 3110 and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Prime95 version by running 'prime95 -v' or checking Help → About in GUI. If version is 29.8 build 6, system is vulnerable.Check Version:
prime95 -vVerify Fix Applied:
Verify version is 29.8 build 7 or later using same method. Test that malicious payloads in user ID field no longer cause crashes.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of prime95.exe
- Unusual network connections to/from port 3110
- Suspicious command execution from Prime95 process
Network Indicators:
- Outbound connections to port 3110 from Prime95 process
- Inbound connections to port 3110 from external IPs
- Unusual network traffic patterns from Prime95
SIEM Query:
process_name:prime95.exe AND (destination_port:3110 OR event_id:1000 OR suspicious_command_execution)