If you've ever donated your computer's spare processing power to help discover the world's largest prime numbers, a quietly disclosed vulnerability means that generous act could have handed an attacker the keys to your machine.
Who's Affected — and Why It Matters
Prime95 isn't just nerdy number-crunching software. It's the backbone of the Great Internet Mersenne Prime Search (GIMPS), a volunteer distributed computing project that has used ordinary people's home PCs and servers to discover 17 of the largest known prime numbers in history. The software has been downloaded millions of times across Windows, macOS, and Linux, and runs silently in the background on computers belonging to university researchers, hobbyist mathematicians, and overclockers who use it as the gold-standard stress test for their hardware. Many of those machines run Prime95 with elevated system privileges — exactly the kind of access an attacker would want to inherit.
Beyond individual hobbyists, Prime95 is a fixture in IT labs and academic computing environments. A compromised install doesn't just mean one person's machine. In networked environments, it can be a foothold into something much larger.
What an Attacker Can Actually Do
Here's the scenario, in plain terms. Prime95 allows users to connect to the GIMPS network through a proxy server — a common setup in corporate offices or universities where internet traffic is routed through a central point. To configure this, there's a simple settings screen with a text box asking for the proxy server's hostname. That text box has a fatal flaw: it trusts you completely. Type in far more text than it was designed to hold, and the software doesn't just crash gracefully — it spills that excess data into parts of the computer's memory it was never supposed to touch.
An attacker who can get a victim to open a maliciously crafted Prime95 configuration file — something as innocent-looking as a shared overclock profile posted on a forum, or a pre-configured settings file distributed inside an organization — can use that overflow to smuggle in their own instructions. The software then executes those instructions with whatever level of permission Prime95 already has. On many systems, especially those using it for hardware stress testing, that's a high level of access indeed.
Think of it like this: the proxy hostname field is a parking space designed for a compact car. An attacker drives in a semi-truck, and the overflow crushes the neighboring structures — structures that happen to control what the program does next. The attacker has just rewritten the building's blueprints from the parking lot.
The Technical Detail That Should Make Researchers Pay Attention
The vulnerability is a classic stack-based buffer overflow that specifically abuses Structured Exception Handling (SEH) chains — a Windows error-handling mechanism that attackers have weaponized for decades. By overwriting the SEH registration records on the stack, an attacker can redirect execution flow when the program attempts to recover from its own crash, turning the recovery mechanism into the attack vector itself. This technique is well-understood, well-tooled in frameworks like Metasploit, and notoriously difficult to catch with basic input validation alone. The flaw carries a CVSS score of 8.4 (HIGH) under CVE-2018-25299, and critically affects Prime95 version 29.4b8 on all supported platforms.
Has Anyone Actually Used This?
As of publication, there is no confirmed evidence of active exploitation in the wild. No threat actor campaigns have been publicly attributed to this vulnerability, and no known victims have come forward. The CVE was assigned retrospectively — a sign that the flaw may have existed quietly for years before a researcher thought to look closely at what that settings field was actually doing with user input.
That's both reassuring and sobering. "No known exploitation" frequently means "no detected exploitation." Prime95 runs silently, often at startup, on machines that aren't always closely monitored. It's exactly the kind of quiet, trusted, long-installed application that sophisticated attackers — particularly those running supply-chain or targeted intrusion campaigns — love to probe. The security community should treat the lack of observed attacks as a window of opportunity to patch, not proof that the risk is theoretical.
What You Should Do Right Now
- Update Prime95 immediately to version 30.8 build 6 or later. Visit the official GIMPS download page at mersenne.org/download directly — do not download updates from third-party sites, forums, or file-sharing platforms. Verify the file hash against the checksums published on the official page before installing.
- Audit who is running Prime95 in your environment and with what privileges. If you manage a lab, university network, or corporate environment where Prime95 is deployed for stress testing, confirm that it is not running as a local administrator or SYSTEM-level account. Downgrade its privileges to the lowest level required for the software to function. If it doesn't need to connect to the GIMPS network in your environment, disable the PrimeNet connection entirely in the settings.
- Treat all Prime95 configuration files from external sources as untrusted. Do not import .ini configuration files or preset profiles shared on forums, Discord servers, or anywhere outside your direct control until you have patched to a safe version. If you are a system administrator, add Prime95 configuration files to your list of file types that should be scanned and reviewed before being permitted on managed machines.
CVE-2018-25299 | CVSS 8.4 HIGH | Affected version: Prime95 29.4b8 | Patched in: 30.8b6 and later | No active exploitation confirmed at time of publication.