{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/seh/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2018-25302"}],"_cs_exploited":false,"_cs_products":["Allok AVI to DVD SVCD VCD Converter 4.0.1217"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","seh","cve-2018-25302"],"_cs_type":"advisory","_cs_vendors":["Allok Soft"],"content_html":"\u003cp\u003eAllok AVI to DVD SVCD VCD Converter version 4.0.1217 is susceptible to a structured exception handling (SEH) based buffer overflow vulnerability. This vulnerability enables a local attacker to execute arbitrary code by crafting a specific payload. The attack involves providing a malicious string in the License Name field of the application. This can be exploited without requiring any prior authentication, making it a significant security concern for systems running the vulnerable software. The vulnerability was reported on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker prepares a malicious string payload consisting of junk data, an NSEH bypass, an SEH handler address, and shellcode.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the Allok AVI to DVD SVCD VCD Converter application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the registration or license activation section of the software.\u003c/li\u003e\n\u003cli\u003eThe attacker pastes the malicious string into the License Name field.\u003c/li\u003e\n\u003cli\u003eThe attacker clicks the \u0026ldquo;Register\u0026rdquo; button, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites the SEH frame, redirecting execution flow to the attacker-controlled NSEH bypass.\u003c/li\u003e\n\u003cli\u003eThe NSEH bypass redirects execution to the SEH handler address, which points to the attacker\u0026rsquo;s shellcode.\u003c/li\u003e\n\u003cli\u003eThe shellcode executes, allowing the attacker to run arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running the Allok AVI to DVD SVCD VCD Converter. This could lead to complete system compromise, data theft, or installation of malware. Given the ease of exploitation (no authentication required, local access only) this poses a significant risk to systems with the vulnerable software installed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAllok AVI Converter SEH Buffer Overflow\u003c/code\u003e to detect exploitation attempts based on process creation events.\u003c/li\u003e\n\u003cli\u003eMonitor for abnormal process execution originating from the Allok AVI to DVD SVCD VCD Converter application to identify potential exploitation (process_creation).\u003c/li\u003e\n\u003cli\u003eConsider removing the Allok AVI to DVD SVCD VCD Converter 4.0.1217 until a patch is available, due to the high severity and ease of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:25Z","date_published":"2026-04-29T20:16:25Z","id":"/briefs/2026-04-allok-buffer-overflow/","summary":"Allok AVI to DVD SVCD VCD Converter 4.0.1217 is vulnerable to a SEH-based buffer overflow, allowing local attackers to execute arbitrary code by providing a malicious string in the License Name field.","title":"Allok AVI to DVD SVCD VCD Converter Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-allok-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2019-25679"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2019-25679","buffer-overflow","seh","local-code-execution","realterm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRealTerm Serial Terminal version 2.0.0.70 is vulnerable to a structured exception handling (SEH) buffer overflow in the Echo Port tab. This vulnerability, identified as CVE-2019-25679, allows a local attacker to execute arbitrary code on a vulnerable system. The attack requires the user to be running the RealTerm application. The attacker must craft a malicious payload containing shellcode and a POP POP RET gadget chain and paste it into the Port field within the Echo Port tab. Subsequently, the attacker needs to induce the user to click the \u0026ldquo;Change\u0026rdquo; button, triggering the buffer overflow and allowing arbitrary code execution within the context of the RealTerm application. This poses a significant risk, particularly in environments where RealTerm is used for debugging or serial communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable RealTerm Serial Terminal 2.0.0.70 installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing shellcode and a POP POP RET gadget chain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the RealTerm application and navigates to the Echo Port tab.\u003c/li\u003e\n\u003cli\u003eThe attacker pastes the malicious payload into the Port field.\u003c/li\u003e\n\u003cli\u003eThe attacker induces the user to click the \u0026ldquo;Change\u0026rdquo; button.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting the SEH handler.\u003c/li\u003e\n\u003cli\u003eThe POP POP RET gadget chain is executed, redirecting control to the attacker\u0026rsquo;s shellcode, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2019-25679) allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. Although specific victim counts and targeted sectors are not available, the widespread use of RealTerm in technical environments makes this a potentially significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;RealTerm SEH Overflow Attempt\u0026rdquo; Sigma rule to detect suspicious process creation following the execution of RealTerm with a long string supplied as an argument.\u003c/li\u003e\n\u003cli\u003eMonitor process creations where the parent process name is Realterm.exe using the \u0026ldquo;RealTerm Suspicious Child Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eAlthough not directly available, consider network monitoring to detect anomalies should the attacker install malware after successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:46Z","date_published":"2026-04-05T21:16:46Z","id":"/briefs/2026-04-realterm-seh-overflow/","summary":"RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability allowing local attackers to execute arbitrary code by supplying a malicious payload via the Echo Port tab.","title":"RealTerm Serial Terminal SEH Buffer Overflow Vulnerability (CVE-2019-25679)","url":"https://feed.craftedsignal.io/briefs/2026-04-realterm-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2019-25631","buffer-overflow","seh","aida64","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAIDA64 Business version 5.99.4900 is vulnerable to a structured exception handling (SEH) buffer overflow (CVE-2019-25631). A local attacker can exploit this vulnerability to execute arbitrary code with application privileges. The vulnerability stems from insufficient bounds checking when processing the SMTP display name field in the preferences or report wizard functionality. An attacker can inject malicious shellcode, specifically egg hunter shellcode, into this field to overwrite SEH…\u003c/p\u003e\n","date_modified":"2026-03-24T12:16:03Z","date_published":"2026-03-24T12:16:03Z","id":"/briefs/2026-03-aida64-seh-overflow/","summary":"AIDA64 Business 5.99.4900 is vulnerable to a local Structured Exception Handling (SEH) buffer overflow (CVE-2019-25631) allowing attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode.","title":"AIDA64 Business SEH Buffer Overflow Vulnerability (CVE-2019-25631)","url":"https://feed.craftedsignal.io/briefs/2026-03-aida64-seh-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","seh","cve-2019-25615","local-privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLavavo CD Ripper version 4.20 is susceptible to a critical structured exception handling (SEH) buffer overflow vulnerability. This vulnerability allows a local attacker to execute arbitrary code on a targeted system by crafting a malicious string and providing it as the License Activation Name. The vulnerability, identified as CVE-2019-25615, stems from insufficient bounds checking when handling the license activation data. Successful exploitation enables attackers to gain complete control over the affected system, potentially leading to data theft, system compromise, or further malicious activities within the local network. This poses a significant risk to users of Lavavo CD Ripper 4.20.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker prepares a malicious string crafted to exploit the SEH buffer overflow vulnerability in Lavavo CD Ripper 4.20. This string includes controlled buffer data, NSEH jump instructions, and SEH handler addresses.\u003c/li\u003e\n\u003cli\u003eThe attacker launches Lavavo CD Ripper 4.20 on a vulnerable system.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the license activation section of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the malicious string into the License Activation Name field.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted input without proper bounds checking, resulting in a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites the SEH frame on the stack, replacing the standard SEH handler with the attacker-controlled SEH handler address.\u003c/li\u003e\n\u003cli\u003eAn exception is triggered within the application, causing the program to jump to the attacker-controlled SEH handler.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed, which sets up a bind shell on port 3110, allowing the attacker to remotely connect and control the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SEH buffer overflow vulnerability in Lavavo CD Ripper 4.20 grants a local attacker the ability to execute arbitrary code with the privileges of the user running the application. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and further lateral movement within the network. The bind shell on port 3110 provides a persistent backdoor for the attacker to maintain control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for Lavavo CD Ripper to address CVE-2019-25615.\u003c/li\u003e\n\u003cli\u003eImplement application control mechanisms to prevent the execution of unauthorized or modified versions of Lavavo CD Ripper.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect potential exploitation attempts based on process creation (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unexpected services listening on port 3110, which may indicate a successful bind shell (logsource: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T14:00:00Z","date_published":"2026-03-23T14:00:00Z","id":"/briefs/2026-03-lavavo-cd-ripper-seh-overflow/","summary":"Lavavo CD Ripper 4.20 is vulnerable to a structured exception handling (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field leading to arbitrary code execution and a bind shell.","title":"Lavavo CD Ripper 4.20 SEH Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-lavavo-cd-ripper-seh-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Seh","version":"https://jsonfeed.org/version/1.1"}