Cyber Resilience

CVE-2018-25302

HighPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 5.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25302 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Alloksoft (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-16 (Memory Protection).

Deeper analysis

CVE-2018-25302 is a structured exception handling (SEH) based buffer overflow vulnerability in Allok AVI to DVD SVCD VCD Converter version 4.0.1217. The flaw occurs when a malicious string is supplied in the License Name field, leading to arbitrary code execution. It is classified under CWE-120 (Buffer Copy without Checking Size of Input) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Local attackers can exploit this vulnerability by crafting a payload consisting of junk data, an NSEH bypass, an SEH handler address, and shellcode. The overflow is triggered by pasting the payload into the License Name field and clicking the Register button, resulting in code execution under the context of the application.

Advisories and references, including an Exploit-DB entry at https://www.exploit-db.com/exploits/44549 and a Vulncheck advisory at https://www.vulncheck.com/advisories/allok-avi-to-dvd-svcd-vcd-converter-buffer-overflow-seh, detail the exploit and vulnerability. The vendor site at http://www.alloksoft.com/ is referenced, but no patches or specific mitigations are described in the available information.

EU & UK References

Vulnerability details

Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a…

more

payload with junk data, NSEH bypass, SEH handler address, and shellcode that triggers the overflow when pasted into the License Name field and the Register button is clicked, resulting in code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local SEH buffer overflow in client app directly enables arbitrary code execution via crafted malicious input (T1203 Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37028Shared CWE-120
CVE-2020-37010Shared CWE-120
CVE-2025-27832Shared CWE-120
CVE-2024-57509Shared CWE-120
CVE-2025-66287Shared CWE-120
CVE-2025-27833Shared CWE-120
CVE-2022-47090Shared CWE-120
CVE-2018-25301Shared CWE-120
CVE-2019-25232Shared CWE-120
CVE-2020-37050Shared CWE-120

Affected Assets

Alloksoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, prioritization, and correction of system flaws, directly mitigating this known SEH-based buffer overflow by patching or removing the vulnerable Allok converter.

prevent

Implements memory safeguards such as DEP and ASLR that prevent arbitrary code execution from SEH handler overwrites in buffer overflow exploits.

prevent

Prohibits use of unsupported system components like this outdated Allok AVI to DVD SVCD VCD Converter version 4.0.1217, preventing installation of vulnerable software.

References