CVE-2019-25552
Published: 21 March 2026
Summary
CVE-2019-25552 is a high-severity Use of Password Hash Instead of Password for Authentication (CWE-836) vulnerability in Cewe Photo Show. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25552 is a denial of service vulnerability affecting CEWE PHOTO SHOW version 6.4.3. The issue arises from the application's failure to properly handle an excessively long buffer submitted to the password field during the upload process, allowing attackers to crash the program by pasting a large string of repeated characters into the input.
The vulnerability can be exploited by any network-accessible attacker with no privileges required and low complexity, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and associated CWE-836. Exploitation leads to a complete application crash, resulting in denial of service for the affected instance.
Advisories and references, including those from VulnCheck detailing the denial of service via the password field, an Exploit-DB entry (46861), and the vendor site at cewe-photoworld.com, provide further details but no specific patch or mitigation guidance is outlined in the available information.
A proof-of-concept exploit is publicly available on Exploit-DB, confirming practical exploitability published on 2026-03-21.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19852
Vulnerability details
CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input…
more
during the upload process to trigger an application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in password field directly enables application crash via exploitation (T1499.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates input validation at the password field to reject excessively long buffers, preventing the DoS crash from mishandled input.
Enforces input restrictions like maximum length at the password field during upload, blocking oversized strings that trigger the crash.
Implements protections to limit effects of denial-of-service events such as the application crash from excessive password buffer input.