Cyber Resilience

CVE-2018-25314

HighPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 6.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25314 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Alloksoft (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2018-25314 is a buffer overflow vulnerability (CWE-120) in Allok Soft WMV to AVI MPEG DVD WMV Converter version 4.6.1217. The flaw arises when an oversized string is supplied in the License Name field, triggering a buffer overflow that enables local attackers to execute arbitrary code. Attackers can craft malicious input incorporating shellcode with a structured exception handler (SEH) overwrite to bypass protections and gain code execution under the application's privileges. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Local attackers with access to the system can exploit this issue with low attack complexity and no user interaction or privileges required. Successful exploitation allows arbitrary code execution, potentially compromising confidentiality, integrity, and availability at a high level through the application's context.

Advisories and references include the vendor sites at alloksoft.com and its WMV product page, an Exploit-DB proof-of-concept at exploit-db.com/exploits/44365, and a Vulncheck advisory detailing the buffer overflow in the affected software. No patches or specific mitigations are detailed in the provided CVE information.

EU & UK References

Vulnerability details

Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious input containing…

more

shellcode with structured exception handler (SEH) overwrite to bypass protections and execute code with application privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local buffer overflow with SEH overwrite directly enables arbitrary code execution as the application process, mapping to exploitation for privilege escalation or code execution on a local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25299Shared CWE-120
CVE-2026-1679Shared CWE-120
CVE-2026-28925Shared CWE-120
CVE-2018-9387Shared CWE-120
CVE-2025-71263Shared CWE-120
CVE-2020-37049Shared CWE-120
CVE-2025-47388Shared CWE-120
CVE-2018-25263Shared CWE-120
CVE-2022-49754Shared CWE-120
CVE-2025-49495Shared CWE-120

Affected Assets

Alloksoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and bounds checking of user inputs like the License Name field to prevent buffer overflows from oversized strings.

prevent

Enforces memory protections such as non-executable stacks, DEP, and ASLR to block SEH overwrite and arbitrary code execution in buffer overflow exploits.

prevent

Mandates timely flaw remediation, including patching or removing vulnerable software like Allok Converter 4.6.1217 affected by this buffer overflow.

References