Cyber Resilience

CVE-2019-25650

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 8.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25650 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Softonic (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

River Past CamDo version 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability, classified under CWE-787, in the Lame_enc.dll name field. This flaw allows local attackers to execute arbitrary code by supplying a malicious string, with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Local attackers with access to the system can exploit this vulnerability without privileges by crafting a payload consisting of a 280-byte buffer, an NSEH jump instruction, and an SEH handler address pointing to a pop-pop-ret gadget. Successful exploitation triggers code execution, enabling actions such as establishing a bind shell on TCP port 3110.

Advisories and references, including an Exploit-DB entry (exploit 46335) with a proof-of-concept and a Vulncheck advisory on the River Past CamDo SEH buffer overflow, document the issue but do not specify patches or mitigations in the available details. A Softonic download link for the software is also referenced.

EU & UK References

Vulnerability details

River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the Lame_enc.dll name field. Attackers can craft a payload with a 280-byte buffer,…

more

NSEH jump instruction, and SEH handler address pointing to a pop-pop-ret gadget to trigger code execution and establish a bind shell on port 3110.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local SEH buffer overflow in CamDo enables arbitrary code execution (e.g., bind shell) via malicious input, directly mapping to exploitation for privilege escalation (T1068) and client-side code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25212Shared CWE-787
CVE-2026-8569Shared CWE-787
CVE-2026-31607Shared CWE-787
CVE-2025-20881Shared CWE-787
CVE-2026-8915Shared CWE-787
CVE-2026-47314Shared CWE-787
CVE-2026-6314Shared CWE-787
CVE-2016-20037Shared CWE-787
CVE-2024-54523Shared CWE-787
CVE-2026-9967Shared CWE-787

Affected Assets

Softonic
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identification, reporting, and correction of system flaws like this SEH buffer overflow, directly eliminating the vulnerability through patching or removal of vulnerable River Past CamDo software.

prevent

SI-16 implements memory protection mechanisms such as DEP and ASLR that prevent exploitation of SEH buffer overflows by blocking arbitrary code execution and ROP chains like pop-pop-ret gadgets.

prevent

SI-10 enforces validation of information inputs like the malicious string in the Lame_enc.dll name field to prevent buffer overflows by checking length and format.

References