Aida64 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/aida64/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 24 Mar 2026 12:16:03 +0000AIDA64 Business SEH Buffer Overflow Vulnerability (CVE-2019-25631)https://feed.craftedsignal.io/briefs/2026-03-aida64-seh-overflow/Tue, 24 Mar 2026 12:16:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-aida64-seh-overflow/AIDA64 Business 5.99.4900 is vulnerable to a local Structured Exception Handling (SEH) buffer overflow (CVE-2019-25631) allowing attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode.<p>AIDA64 Business version 5.99.4900 is vulnerable to a structured exception handling (SEH) buffer overflow (CVE-2019-25631). A local attacker can exploit this vulnerability to execute arbitrary code with application privileges. The vulnerability stems from insufficient bounds checking when processing the SMTP display name field in the preferences or report wizard functionality. An attacker can inject malicious shellcode, specifically egg hunter shellcode, into this field to overwrite SEH…</p> highadvisorycve-2019-25631buffer-overflowsehaida64windowsAIDA64 Extreme 5.99.4900 Structured Exception Handler Buffer Overflowhttps://feed.craftedsignal.io/briefs/2026-03-aida64-buffer-overflow/Tue, 24 Mar 2026 12:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-aida64-buffer-overflow/AIDA64 Extreme 5.99.4900 is vulnerable to a structured exception handler buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious CSV log file path through the Hardware Monitoring logging preferences.AIDA64 Extreme version 5.99.4900 is susceptible to a structured exception handler (SEH) buffer overflow vulnerability. This flaw enables a local attacker to execute arbitrary code on a targeted system. The attack vector involves crafting a malicious CSV log file path and configuring AIDA64’s Hardware Monitoring logging preferences to utilize it. When the AIDA64 application attempts to process this specially crafted log file, it triggers a buffer overflow in the SEH, enabling the attacker to inject and execute arbitrary shellcode. This vulnerability poses a significant risk to systems running the affected AIDA64 version, potentially leading to complete system compromise by local users.

Attack Chain

  1. The attacker gains local access to a system running AIDA64 Extreme 5.99.4900.
  2. The attacker crafts a malicious CSV log file containing shellcode designed to exploit the SEH buffer overflow.
  3. The attacker opens AIDA64 Extreme and navigates to the Hardware Monitoring logging preferences.
  4. Within the logging preferences, the attacker specifies the path to the malicious CSV log file.
  5. AIDA64 attempts to process the specified log file, triggering the buffer overflow.
  6. The injected shellcode overwrites the structured exception handler.
  7. When an exception occurs during log processing, the overwritten SEH redirects execution to the attacker’s shellcode.
  8. The attacker’s shellcode executes arbitrary commands, potentially granting them full control of the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the AIDA64 process. This could lead to complete system compromise, data theft, or installation of malware. While the exploit requires local access, the severity is high due to the potential for privilege escalation and the ease with which a malicious log file path can be configured within the application.

Recommendation

  • Monitor process execution for AIDA64 (aida64.exe) attempting to access unusual or suspicious file paths, especially CSV files, using the Detect AIDA64 Suspicious Log File Access Sigma rule.
  • Enable file access monitoring to capture the file paths being accessed by AIDA64.
  • Apply appropriate access controls to prevent unauthorized local users from modifying AIDA64’s logging preferences.
]]>highadvisoryaida64buffer-overflowvulnerability