CVE-2019-25354
Published: 18 February 2026
Summary
CVE-2019-25354 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Smarteyegroup (inferred from references). Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2019-25354 is a denial of service vulnerability in iSmartViewPro version 1.3.34. The flaw allows attackers to crash the application by overflowing the camera ID input field through pasting a 257-character buffer into the camera DID and password fields, affecting iOS devices. It is associated with CWE-120 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote attackers with no privileges or user interaction can exploit the vulnerability due to its network accessibility and low attack complexity. Exploitation triggers an application crash, resulting in denial of service on the targeted iOS device.
References include the vendor site at http://www.smarteyegroup.com/, the iOS App Store listing at https://apps.apple.com/mx/app/ismartviewpro/id834791071, an Exploit-DB entry at https://www.exploit-db.com/exploits/47662, and a VulnCheck advisory at https://www.vulncheck.com/advisories/ismartviewpro-denial-of-service. No specific patch or mitigation details are detailed in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19710
Vulnerability details
iSmartViewPro 1.3.34 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the camera ID input field. Attackers can paste a 257-character buffer into the camera DID and password fields to trigger an application crash…
more
on iOS devices.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in network-accessible input field directly enables remote application crash via exploitation, matching T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of input length and format on fields such as camera ID and password, directly blocking the 257-character buffer overflow that triggers the crash.
Applies memory protections (e.g., ASLR, non-executable stacks) that can limit exploitability of the CWE-120 buffer overflow even if input validation is absent.
Limits the impact of the resulting denial-of-service condition by protecting availability of the mobile application against crafted remote inputs.