{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/local-code-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2019-25679"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2019-25679","buffer-overflow","seh","local-code-execution","realterm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRealTerm Serial Terminal version 2.0.0.70 is vulnerable to a structured exception handling (SEH) buffer overflow in the Echo Port tab. This vulnerability, identified as CVE-2019-25679, allows a local attacker to execute arbitrary code on a vulnerable system. The attack requires the user to be running the RealTerm application. The attacker must craft a malicious payload containing shellcode and a POP POP RET gadget chain and paste it into the Port field within the Echo Port tab. Subsequently, the attacker needs to induce the user to click the \u0026ldquo;Change\u0026rdquo; button, triggering the buffer overflow and allowing arbitrary code execution within the context of the RealTerm application. This poses a significant risk, particularly in environments where RealTerm is used for debugging or serial communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable RealTerm Serial Terminal 2.0.0.70 installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing shellcode and a POP POP RET gadget chain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the RealTerm application and navigates to the Echo Port tab.\u003c/li\u003e\n\u003cli\u003eThe attacker pastes the malicious payload into the Port field.\u003c/li\u003e\n\u003cli\u003eThe attacker induces the user to click the \u0026ldquo;Change\u0026rdquo; button.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting the SEH handler.\u003c/li\u003e\n\u003cli\u003eThe POP POP RET gadget chain is executed, redirecting control to the attacker\u0026rsquo;s shellcode, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2019-25679) allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. Although specific victim counts and targeted sectors are not available, the widespread use of RealTerm in technical environments makes this a potentially significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;RealTerm SEH Overflow Attempt\u0026rdquo; Sigma rule to detect suspicious process creation following the execution of RealTerm with a long string supplied as an argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creations where the parent process name is Realterm.exe using the \u0026ldquo;RealTerm Suspicious Child Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eAlthough not directly available, consider network monitoring to detect anomalies should the attacker install malware after successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:46Z","date_published":"2026-04-05T21:16:46Z","id":"/briefs/2026-04-realterm-seh-overflow/","summary":"RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability allowing local attackers to execute arbitrary code by supplying a malicious payload via the Echo Port tab.","title":"RealTerm Serial Terminal SEH Buffer Overflow Vulnerability (CVE-2019-25679)","url":"https://feed.craftedsignal.io/briefs/2026-04-realterm-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2016-20038","buffer-overflow","local-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eyTree versions 1.94 to 1.1 are susceptible to a stack-based buffer overflow vulnerability (CVE-2016-20038). A local attacker can exploit this flaw by providing an overly long command-line argument to the application. The vulnerability allows the attacker to overwrite the stack memory, inject and execute arbitrary code within the context of the yTree application. This could lead to a full system compromise if the attacker gains sufficient privileges. This vulnerability has been publicly known…\u003c/p\u003e\n","date_modified":"2026-03-28T12:15:59Z","date_published":"2026-03-28T12:15:59Z","id":"/briefs/2026-03-ytree-buffer-overflow/","summary":"yTree version 1.94-1.1 is vulnerable to a stack-based buffer overflow, allowing local attackers to execute arbitrary code by supplying an excessively long argument to overwrite the stack with shellcode.","title":"yTree Stack-Based Buffer Overflow Vulnerability (CVE-2016-20038)","url":"https://feed.craftedsignal.io/briefs/2026-03-ytree-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Local-Code-Execution","version":"https://jsonfeed.org/version/1.1"}