CVE-2018-25303: Allok Video to DVD Burner Stack Overflow

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-121
CVE-2018-25303: Allok Video to DVD Burner Stack Overflow

The National Vulnerability Database reports CVE-2018-25303, a high-severity stack-based buffer overflow in Allok Video to DVD Burner version 2.6.1217. This vulnerability, rated 8.4 CVSS, allows local attackers to achieve arbitrary code execution by manipulating the License Name field during product registration. This isn’t some theoretical flaw; it’s a direct path to system compromise if an attacker can get local access.

Attackers can craft a malicious input string, leveraging a 780-byte junk data payload followed by structured exception handler (SEH) chain pointers and shellcode. Pasting this into the License Name field overwrites the SEH, diverting execution to the attacker’s shellcode. The National Vulnerability Database highlights that this is a classic CWE-121 vulnerability.

While the affected product, Allok Video to DVD Burner, is niche, the fundamental exploitation technique here is a reminder of how easily poor memory handling can lead to full system compromise. Defenders often overlook these types of vulnerabilities in less critical, peripheral software. This is a critical blind spot that attackers consistently exploit.

What This Means For You

  • If your organization uses Allok Video to DVD Burner 2.6.1217 or similar legacy tools, you need to check for this vulnerability immediately. While it requires local access, it's a direct code execution path that can escalate privileges or be a post-initial-access pivot point. Audit your systems for this application and prioritize its removal or isolation if present.

Related ATT&CK Techniques

T1218.001 Signed Binary Proxy Execution: dllregisterserver Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1059.001 Execution

Suspicious PowerShell Execution

Sigma YAML — free preview 
title: Suspicious PowerShell Execution
id: scw-2026-04-29-1
status: experimental
level: high
description: |
  Detects suspicious PowerShell execution patterns commonly used in post-exploitation following vendor compromises.
author: SCW Feed Engine (auto-generated)
date: 2026-04-29
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25303/
tags:
  - attack.execution
  - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
  selection:
      CommandLine|contains:
        - '-enc'
        - '-EncodedCommand'
        - 'IEX('
        - 'Invoke-Expression'
        - 'DownloadString'
        - 'Net.WebClient'
        - '-nop'
        - '-w hidden'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2018-25303

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25303 Buffer Overflow Allok Video to DVD Burner 2.6.1217
CVE-2018-25303 Buffer Overflow Stack-based buffer overflow in License Name field
CVE-2018-25303 RCE SEH overwrite via crafted input string (780 bytes junk + SEH chain pointers + shellcode) in License Name field

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 29, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow

CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-787
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 1 Sigma

CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection

CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...

vulnerabilityCVEhigh-severityremote-code-executioncwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking

CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...

vulnerabilityCVEcriticalhigh-severitycwe-290
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 2 Sigma