CVE-2018-10608 in AcSELerator Architect
Summary
by MITRE
SEL AcSELerator Architect version 2.2.24.0 and prior can be exploited when the AcSELerator Architect FTP client connects to a malicious FTP server, which may cause denial of service via 100% CPU utilization. Restart of the application is required.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability identified as CVE-2018-10608 affects SEL AcSELerator Architect version 2.2.24.0 and earlier installations, representing a significant security weakness in the software's handling of FTP client connections. This issue manifests when the application's FTP client component establishes communication with a maliciously configured FTP server, creating a scenario where the targeted system experiences complete CPU exhaustion. The vulnerability stems from inadequate input validation and error handling mechanisms within the FTP client implementation, which fails to properly manage malicious responses from remote servers. The affected software operates within the industrial control systems domain, where reliability and continuous operation are paramount for critical infrastructure protection.
The technical flaw in question constitutes a denial of service condition that specifically targets the application's CPU utilization metrics, causing the system to consume 100% of available processing power. This occurs because the AcSELerator Architect FTP client lacks proper safeguards against malformed or malicious FTP responses that could trigger infinite loops or recursive processing behaviors. The vulnerability is classified under CWE-400 as an Uncontrolled Resource Consumption vulnerability, where the application fails to implement adequate resource management controls. When exploited, the malicious FTP server can send specially crafted responses that cause the client to enter an unbounded processing cycle, effectively rendering the application non-responsive and requiring manual intervention through application restart.
The operational impact of this vulnerability extends beyond simple service disruption, as it can compromise the integrity of industrial control system operations where AcSELerator Architect is deployed. The requirement for application restart indicates that the system cannot recover automatically from the resource exhaustion condition, potentially leading to extended downtime in critical environments. This vulnerability directly impacts the availability aspect of the CIA triad and can be classified under ATT&CK technique T1499.004 for Network Denial of Service, where adversaries leverage application-level vulnerabilities to exhaust system resources. The attack vector specifically targets the network communication layer through FTP protocol handling, making it particularly dangerous in environments where industrial systems must maintain continuous operation without interruption.
Mitigation strategies for CVE-2018-10608 should focus on immediate software updates to versions that address the FTP client processing flaw, alongside network-level protections that can prevent unauthorized FTP server access. Organizations should implement network segmentation to isolate industrial control systems from untrusted network segments and deploy intrusion detection systems capable of identifying malicious FTP traffic patterns. The recommended approach includes disabling unnecessary FTP functionality within the application when not required for operation, implementing proper input validation for all FTP responses, and establishing monitoring protocols to detect abnormal CPU utilization patterns. Additionally, security awareness training for system administrators should emphasize the importance of keeping industrial control software updated and understanding the operational risks associated with legacy software versions that may contain unpatched vulnerabilities.