Cyber Resilience

CVE-2019-25552

HighPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25552 is a high-severity Use of Password Hash Instead of Password for Authentication (CWE-836) vulnerability in Cewe Photo Show. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25552 is a denial of service vulnerability affecting CEWE PHOTO SHOW version 6.4.3. The issue arises from the application's failure to properly handle an excessively long buffer submitted to the password field during the upload process, allowing attackers to crash the program by pasting a large string of repeated characters into the input.

The vulnerability can be exploited by any network-accessible attacker with no privileges required and low complexity, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated CWE-836. Exploitation leads to a complete application crash, resulting in denial of service for the affected instance.

Advisories and references, including those from VulnCheck detailing the denial of service via the password field, an Exploit-DB entry (46861), and the vendor site at cewe-photoworld.com, provide further details but no specific patch or mitigation guidance is outlined in the available information.

A proof-of-concept exploit is publicly available on Exploit-DB, confirming practical exploitability published on 2026-03-21.

EU & UK References

Vulnerability details

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input…

more

during the upload process to trigger an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in password field directly enables application crash via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

cewe
photo show
6.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates input validation at the password field to reject excessively long buffers, preventing the DoS crash from mishandled input.

prevent

Enforces input restrictions like maximum length at the password field during upload, blocking oversized strings that trigger the crash.

prevent

Implements protections to limit effects of denial-of-service events such as the application crash from excessive password buffer input.

References