CVE-2019-25268
Published: 08 January 2026
Summary
CVE-2019-25268 is a critical-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-7 verifies the integrity of software components like sdl2.dll and libegl.dll using signatures or checksums, preventing substitution with malicious versions from untrusted remote shares.
CM-10 enforces execution of only authorized software via whitelisting or deny-by-default policies, blocking malicious DLLs loaded during BEopt file opening from WebDAV or SMB shares.
SI-3 deploys anti-malware tools to scan and block malicious DLLs exploited in the untrusted search path vulnerability when BEopt files are opened from remote shares.
NVD Description
NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on…
more
WebDAV or SMB shares to execute unauthorized code.
Deeper analysisAI
CVE-2019-25268 is a DLL hijacking vulnerability in NREL BEopt version 2.8.0.0. The software insecurely loads the sdl2.dll and libegl.dll libraries, enabling attackers to substitute malicious versions and execute arbitrary code. This issue, classified under CWE-427 (Untrusted Search Path), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete system compromise.
Attackers can exploit the vulnerability remotely without authentication or user interaction beyond tricking victims into opening application files hosted on WebDAV or SMB shares. By placing malicious sdl2.dll or libegl.dll files on these shares, adversaries achieve remote code execution upon file opening, granting high-impact access to confidentiality, integrity, and availability.
Security advisories documenting the issue are available at sources including CXSecurity (WLB-2019030108), IBM X-Force Exchange, Packet Storm Security, the archived BEopt NREL site, and Zero Science (ZSL-2019-5513). No specific patches or vendor mitigations are detailed in the CVE description.
Details
- CWE(s)