CVE-2018-25322: Allok Fast AVI MPEG Splitter Stack Buffer Overflow

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-121
CVE-2018-25322: Allok Fast AVI MPEG Splitter Stack Buffer Overflow

The National Vulnerability Database reports CVE-2018-25322, a high-severity stack-based buffer overflow in Allok Fast AVI MPEG Splitter version 1.2. This vulnerability allows local attackers to execute arbitrary code by supplying a crafted license name string. The attack vector is straightforward: an attacker can inject a payload consisting of 780 bytes of junk data followed by structured shellcode into the License Name field, triggering the overflow and executing code with the application’s privileges.

This isn’t a zero-day, but it highlights a persistent class of vulnerabilities that can be easily exploited in legacy software. While the CVSS score of 8.4 (HIGH) reflects the critical impact (complete compromise of confidentiality, integrity, and availability), the local attack vector means an attacker needs prior access to the system. However, for a determined insider or an attacker who has already gained a foothold, this provides a reliable path to privilege escalation or further system compromise. It’s a reminder that even older, seemingly innocuous software can harbor dangerous flaws.

Defenders must recognize that applications like Allok Fast AVI MPEG Splitter, often found on endpoints for niche tasks, are frequently overlooked in vulnerability management programs. These tools can become stepping stones for attackers. The attacker’s calculus here is simple: find an unpatched system, exploit the buffer overflow, and elevate privileges. This is a classic tactic for establishing persistence or moving laterally within a network after an initial compromise.

What This Means For You

  • If your organization has Allok Fast AVI MPEG Splitter 1.2 or older versions installed on any endpoints, identify and remove it immediately. This software is outdated and poses a significant risk. Even if local access is required, it's a reliable privilege escalation vector for an attacker already inside your perimeter.

Related ATT&CK Techniques

T1218 Signed Binary Proxy Execution Execution T1059.001 PowerShell Execution T1547.001 Registry Run Keys / Startup Folder Persistence

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1059.001 Execution

Suspicious PowerShell Execution

Sigma YAML — free preview 
title: Suspicious PowerShell Execution
id: scw-2026-05-17-1
status: experimental
level: high
description: |
  Detects suspicious PowerShell execution patterns commonly used in post-exploitation following vendor compromises.
author: SCW Feed Engine (auto-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25322/
tags:
  - attack.execution
  - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
  selection:
      CommandLine|contains:
        - '-enc'
        - '-EncodedCommand'
        - 'IEX('
        - 'Invoke-Expression'
        - 'DownloadString'
        - 'Net.WebClient'
        - '-nop'
        - '-w hidden'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2018-25322

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25322 Buffer Overflow Allok Fast AVI MPEG Splitter 1.2
CVE-2018-25322 RCE Stack-based buffer overflow in License Name field
CVE-2018-25322 Code Injection Malicious license name string exceeding 780 bytes

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 17, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma