CVE-2020-37028

HighPublic PoC

Published: 30 January 2026

Published

30 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37028 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

Implements memory protections such as DEP, ASLR, and stack canaries to prevent arbitrary code execution from stack-based buffer overflows triggered by malicious payloads in the output folder field.

SI-10 Information Input Validation good match

prevent

Enforces validation of user inputs like the 'Output Folder' field to reject overly long or malformed paths that could trigger the buffer overflow.

CM-11 User-installed Software good match

prevent

Prohibits installation of unapproved user software such as the vulnerable Socusoft Photo to Video Converter Professional version 8.07, eliminating exposure to the CVE.

NVD Description

Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the 'Output Folder' input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the output folder field…

to trigger a stack-based buffer overflow and potentially execute shellcode.

Deeper analysisAI

CVE-2020-37028 is a stack-based buffer overflow vulnerability (CWE-120) affecting Socusoft Photo to Video Converter Professional version 8.07, specifically in the 'Output Folder' input field. Published on 2026-01-30, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue arises when a crafted malicious payload is pasted into the output folder field, triggering the overflow and enabling potential shellcode execution.

A local attacker can exploit this vulnerability without requiring privileges (PR:N), with low attack complexity and no additional user interaction beyond providing the malicious input. Successful exploitation allows arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and related resources include a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/48691) and a vulnerability advisory from VulnCheck (https://www.vulncheck.com/advisories/socusoft-photo-to-video-converter-professional-output-folder-buffer-overflow), alongside an archived product page (https://web.archive.org/web/20190314225058/http://www.dvd-photo-slideshow.com/photo-to-video-converter.html). No specific patches or mitigations are detailed in the provided information.

Details

CWE(s): CWE-120

CVEs Like This One

CVE-2025-24956Shared CWE-120

CVE-2024-57482Shared CWE-120

CVE-2024-57479Shared CWE-120

CVE-2025-69807Shared CWE-120

CVE-2019-25353Shared CWE-120

CVE-2020-37050Shared CWE-120

CVE-2020-37207Shared CWE-120

CVE-2025-50670Shared CWE-120

CVE-2024-53027Shared CWE-120

CVE-2024-57509Shared CWE-120

References

https://web.archive.org/web/20190314225058/http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48691
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/socusoft-photo-to-video-converter-professional-output-folder-buffer-overflow
disclosure@vulncheck.com