CVE-2020-37159
Published: 07 February 2026
Summary
CVE-2020-37159 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Softonic (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2020-37159 is a stack-based buffer overflow vulnerability (CWE-121) in Parallaxis Cuckoo Clock 5.0, specifically within the alarm scheduling feature. The flaw allows attackers to execute arbitrary code by crafting a malicious payload exceeding 260 bytes, which overwrites critical memory registers such as EIP and EBP to enable shellcode execution and potential remote code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables full control over the affected system, achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution.
Advisories such as the VulnCheck report detail the buffer overflow mechanics, while Exploit-DB hosts a proof-of-concept exploit (ID 48087) demonstrating the overwrite and shellcode execution. References to the software author PX Company are available via Softonic, but no specific patch or mitigation details are provided in the listed sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31111
Vulnerability details
Parallaxis Cuckoo Clock 5.0 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory registers in the alarm scheduling feature. Attackers can craft a malicious payload exceeding 260 bytes to overwrite EIP and EBP, enabling…
more
shellcode execution with potential remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated stack buffer overflow enabling arbitrary code execution on a network-accessible application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflows by validating alarm scheduling inputs to reject payloads exceeding safe lengths like 260 bytes.
Implements runtime memory protections such as stack canaries, ASLR, and DEP to block exploitation of stack-based overflows overwriting EIP and EBP.
Mandates timely flaw remediation to patch or replace the vulnerable alarm scheduling feature, eliminating the buffer overflow vulnerability.