Cyber Resilience

CVE-2019-25613

HighPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 39.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25613 is a high-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Echatserver Easy Chat Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2019-25613 is a denial of service vulnerability affecting Easy Chat Server 3.1. The flaw arises from the application's failure to properly handle oversized data in the message parameter, classified under CWE-940. It enables remote attackers to crash the server, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact with network accessibility and no authentication required.

Any remote attacker can exploit this vulnerability without privileges. The attack begins by establishing a session through the chat.ghp endpoint, followed by sending a POST request to body2.ghp containing an excessively large message parameter value. This triggers the service to crash, disrupting availability for all users.

Reference advisories include a VulnCheck report detailing the denial of service via the message parameter and a proof-of-concept exploit published on Exploit-DB (ID 46806). Vendor resources are available at echatserver.com, including the ecssetup.exe download, though no specific patch details are outlined in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Attackers can establish a session via the chat.ghp endpoint and then send a POST…

more

request to body2.ghp with an excessively large message parameter value to cause the service to crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly enables remote exploitation of an application flaw to crash the server and deny availability (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25221Same product: Echatserver Easy Chat Server
CVE-2026-33875Shared CWE-940
CVE-2026-35643Shared CWE-940
CVE-2025-23222Shared CWE-940
CVE-2026-40434Shared CWE-940
CVE-2025-61932Shared CWE-940
CVE-2026-45245Shared CWE-940

Affected Assets

echatserver
easy chat server
3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by enforcing validation of the message parameter size to reject oversized inputs before processing.

prevent

Provides denial-of-service protection mechanisms to block oversized data attacks targeting the body2.ghp endpoint.

prevent

Ensures resource availability by limiting consumption from oversized POST requests that could crash the chat server.

References