Cyber Resilience

CVE-2019-25268

HighPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25268 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2019-25268 is a DLL hijacking vulnerability in NREL BEopt version 2.8.0.0. The software insecurely loads the sdl2.dll and libegl.dll libraries, enabling attackers to substitute malicious versions and execute arbitrary code. This issue, classified under CWE-427 (Untrusted Search Path), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for complete system compromise.

Attackers can exploit the vulnerability remotely without authentication or user interaction beyond tricking victims into opening application files hosted on WebDAV or SMB shares. By placing malicious sdl2.dll or libegl.dll files on these shares, adversaries achieve remote code execution upon file opening, granting high-impact access to confidentiality, integrity, and availability.

Security advisories documenting the issue are available at sources including CXSecurity (WLB-2019030108), IBM X-Force Exchange, Packet Storm Security, the archived BEopt NREL site, and Zero Science (ZSL-2019-5513). No specific patches or vendor mitigations are detailed in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on…

more

WebDAV or SMB shares to execute unauthorized code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

CVE directly describes DLL hijacking via untrusted search path (CWE-427) for malicious library substitution and code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-9498Shared CWE-427
CVE-2024-57963Shared CWE-427
CVE-2024-9493Shared CWE-427
CVE-2026-23755Shared CWE-427
CVE-2025-24039Shared CWE-427
CVE-2025-21127Shared CWE-427
CVE-2026-2713Shared CWE-427
CVE-2024-57964Shared CWE-427
CVE-2024-53588Shared CWE-427
CVE-2023-53959Shared CWE-427

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-7 verifies the integrity of software components like sdl2.dll and libegl.dll using signatures or checksums, preventing substitution with malicious versions from untrusted remote shares.

prevent

CM-10 enforces execution of only authorized software via whitelisting or deny-by-default policies, blocking malicious DLLs loaded during BEopt file opening from WebDAV or SMB shares.

preventdetect

SI-3 deploys anti-malware tools to scan and block malicious DLLs exploited in the untrusted search path vulnerability when BEopt files are opened from remote shares.

References