CVE-2019-25330
Published: 12 February 2026
Summary
CVE-2019-25330 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Softpedia (inferred from references). Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2019-25330 is a structured exception handler (SEH) overflow vulnerability affecting SurfOffline Professional version 2.2.0.103. The issue arises from improper handling of the project name input, enabling attackers to crash the application. It is classified under CWE-121 (Stack-based Buffer Overflow) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. By supplying a malicious payload of 382 'A' characters followed by specific byte sequences as the project name, they can overwrite SEH registers, triggering a denial-of-service condition that crashes the application.
References include an Exploit-DB entry (47795) demonstrating a proof-of-concept, a VulnCheck advisory detailing the SurfOffline Professional project name denial-of-service, the Softpedia page for the software, and an archived version of the vendor's website from 2019. No specific patches or mitigations are described in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19567
Vulnerability details
SurfOffline Professional 2.2.0.103 contains a structured exception handler (SEH) overflow vulnerability that allows attackers to crash the application by manipulating the project name input. Attackers can generate a malicious payload of 382 'A' characters followed by specific byte sequences to…
more
trigger a denial of service condition and overwrite SEH registers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-accessible stack buffer overflow directly enables exploitation of a public-facing application (T1190) to trigger application DoS via crafted input (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of project name inputs to prevent stack-based buffer overflows from malicious payloads exceeding expected lengths.
Implements memory protections such as stack canaries, ASLR, and DEP to block SEH register overwrites and unauthorized code execution from buffer overflows.
Mandates timely identification, prioritization, and remediation of known flaws like CVE-2019-25330 through patching or removal of vulnerable SurfOffline versions.