Cyber Resilience

CVE-2019-25354

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25354 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Smarteyegroup (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2019-25354 is a denial of service vulnerability in iSmartViewPro version 1.3.34. The flaw allows attackers to crash the application by overflowing the camera ID input field through pasting a 257-character buffer into the camera DID and password fields, affecting iOS devices. It is associated with CWE-120 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers with no privileges or user interaction can exploit the vulnerability due to its network accessibility and low attack complexity. Exploitation triggers an application crash, resulting in denial of service on the targeted iOS device.

References include the vendor site at http://www.smarteyegroup.com/, the iOS App Store listing at https://apps.apple.com/mx/app/ismartviewpro/id834791071, an Exploit-DB entry at https://www.exploit-db.com/exploits/47662, and a VulnCheck advisory at https://www.vulncheck.com/advisories/ismartviewpro-denial-of-service. No specific patch or mitigation details are detailed in the provided information.

EU & UK References

Vulnerability details

iSmartViewPro 1.3.34 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the camera ID input field. Attackers can paste a 257-character buffer into the camera DID and password fields to trigger an application crash…

more

on iOS devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in network-accessible input field directly enables remote application crash via exploitation, matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20115Shared CWE-120
CVE-2020-37205Shared CWE-120
CVE-2026-28875Shared CWE-120
CVE-2020-37194Shared CWE-120
CVE-2020-37180Shared CWE-120
CVE-2024-24419Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2026-30075Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2021-47798Shared CWE-120

Affected Assets

Smarteyegroup
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of input length and format on fields such as camera ID and password, directly blocking the 257-character buffer overflow that triggers the crash.

prevent

Applies memory protections (e.g., ASLR, non-executable stacks) that can limit exploitability of the CWE-120 buffer overflow even if input validation is absent.

prevent

Limits the impact of the resulting denial-of-service condition by protecting availability of the mobile application against crafted remote inputs.

References