CVE-2019-25689

HIGH

HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25689. PoCs published by Dino Covotsos.

AI-analyzed exploit summary This exploit demonstrates a local buffer overflow in HTML5 Video Player 1.2.5 by overwriting the buffer with a crafted payload containing a NOP sled, shellcode, and a JMP ESP address from shell32.dll. It generates an exploit.txt file that, when pasted into the application's registration key field, triggers the overflow and executes the shellcode.

Description

HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process.

Exploits (1)

exploitdb WORKING POC

by Dino Covotsos · pythonlocalwindows

https://www.exploit-db.com/exploits/46279

View Code ZIP pw:eip

This exploit demonstrates a local buffer overflow in HTML5 Video Player 1.2.5 by overwriting the buffer with a crafted payload containing a NOP sled, shellcode, and a JMP ESP address from shell32.dll. It generates an exploit.txt file that, when pasted into the application's registration key field, triggers the overflow and executes the shellcode.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: HTML5 Video Player 1.2.5

No auth needed

Prerequisites: Windows XP Prof SP3 ENG x86 · HTML5 Video Player 1.2.5 installed · User interaction to paste payload into registration key field

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-46279

https://www.exploit-db.com/exploits/46279

Product product

Official Product Homepage

http://www.html5videoplayer.net/download.html

Third Party Advisory third-party-advisory

VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH

https://www.vulncheck.com/advisories/html5-video-player-local-buffer-overflow-non-seh

Scores

CVSS v3 8.4

EPSS 0.0021

EPSS Percentile 10.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (2)

Html5Videoplayer/HTML5 Video Player 1.2.5

socusoft/html5_video_player 1.2.5

Published Apr 12, 2026

Tracked Since Apr 12, 2026