HIGH 8.4

CVE-2019-25735: AllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk

AllPlayer version 7.4 contains a buffer overflow flaw in how it processes URLs. When a user opens the application's URL dialog and pastes an unusually long URL string, the application fails to validate the input length properly. This allows an attacker to overwrite critical memory structures called structured exception handlers (SEH pointers), which Windows uses to manage error handling. By crafting a malicious URL, an attacker can hijack this process to execute arbitrary commands on the affected system with the same privileges as the logged-in user.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code execution to run arbitrary commands with user privileges.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25735 is a local stack-based buffer overflow in AllPlayer 7.4's URL handling routine. The vulnerability exists because the application does not properly bounds-check user-supplied URL input in the Open URL dialog. An attacker can supply a URL string that exceeds the allocated buffer size, causing a stack overflow. The overflow permits overwriting of SEH frame pointers, enabling SEH-based code execution (sometimes called SEH hijacking). Once SEH pointers are corrupted with attacker-controlled data, subsequent exception handling can redirect execution to arbitrary code. The attack requires local access and user interaction (pasting the malicious URL), but does not require elevated privileges to execute. The flaw is classified under CWE-120 (Buffer Copy without Checking Size of Input), a classic memory safety issue.

Business impact

This vulnerability poses a direct threat to users running AllPlayer 7.4 on Windows systems. An attacker who gains access to a user's workstation can craft a malicious URL and trick the user into opening it via the AllPlayer URL dialog, or directly paste it if social engineering is involved. Successful exploitation results in arbitrary code execution under the user's account, enabling data theft, lateral movement, malware installation, or system compromise. Organizations with media-rich workflows or users who routinely open media URLs are at elevated risk. The impact is particularly severe in environments where user accounts have broad network access or administrative capabilities.

Affected systems

AllPlayer version 7.4 is the confirmed affected version. Users of this specific version running on Windows systems are vulnerable. The scope is local; the attack requires the attacker to have local access or the ability to socially engineer a user into opening a crafted URL. Verify whether your organization is using AllPlayer 7.4 or has migrated to later versions. Consult the vendor's release notes to confirm whether patches are available and which versions address this issue.

Exploitability

Exploitation requires local access and user interaction—specifically, a user must open AllPlayer's URL dialog and either paste or be tricked into opening a malicious URL. While this is not a zero-click remote vulnerability, the attack surface is significant because users routinely open URLs. The barrier to exploit is low once access is gained: an attacker needs only to craft a URL string of sufficient length, which is trivial. No special tools, authentication, or system knowledge is required beyond crafting the oversized input. The attack does not require elevated privileges to initiate. However, practical exploitation may depend on the target system's memory layout and protections; modern Windows versions with ASLR and stack canaries may complicate but not prevent SEH-based exploitation.

Remediation

The primary remediation is to upgrade AllPlayer to a patched version released after 7.4. Contact the AllPlayer vendor or consult their official advisory to identify the specific version number that addresses CVE-2019-25735. If an immediate patch is unavailable, restrict user access to untrusted URLs and educate users not to open suspicious links in the URL dialog. Consider disabling or removing AllPlayer if it is not mission-critical and alternative media players are available. On a system level, ensure Windows is fully patched and DEP (Data Execution Prevention) is enabled, which can mitigate some SEH-based exploits.

Patch guidance

1. Check the AllPlayer vendor's official security advisory and release notes to identify the minimum patched version. 2. Verify that your inventory includes only AllPlayer versions 7.4 and note which users or systems are affected. 3. Plan a phased rollout of the patched version, prioritizing workstations with high-value users or those frequently handling media content. 4. After upgrading, verify the new version is running and confirm that URL handling no longer triggers the vulnerability. 5. Document the patch date and version applied for compliance and audit purposes. Note: specific patched version numbers should be verified against the vendor's official advisory.

Detection guidance

Detection of active exploitation is challenging because the attack is local and leaves minimal forensic traces. However, monitor for: unusual AllPlayer process behavior or unexpected child processes spawned from AllPlayer (indicative of arbitrary code execution post-exploit), access to the AllPlayer directory with abnormally large or suspicious files, and system event logs for SEH-related exceptions or first-chance exceptions during AllPlayer operation. Behavioral monitoring for process injection or unusual network activity from AllPlayer may also signal compromise. Endpoint Detection and Response (EDR) solutions should alert on abnormal process trees stemming from media player applications. Audit logs of URL dialog interactions cannot be reliably captured, so assume that exploitation may occur without direct evidence.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH severity score (8.4 CVSS), direct path to arbitrary code execution, and presence in a widely-used media player. Although it requires local access and user interaction, those barriers are realistic in most organizations. The vulnerability is not currently tracked as actively exploited in the wild (KEV status: false), but the low complexity of the exploit and the user-facing nature of the vector suggest a meaningful risk. Prioritize patching of systems where AllPlayer 7.4 is confirmed in use, particularly in user-facing and media-production environments.

Risk score, explained

The CVSS 3.1 score of 8.4 (HIGH) reflects: Attack Vector: Local (AV:L)—the attacker must have local access; Attack Complexity: Low (AC:L)—crafting an oversized URL is trivial; Privileges Required: None (PR:N)—no elevated privileges needed to trigger the flaw; User Interaction: None (UI:N)—once the URL is pasted or opened, no additional user action is needed; Scope: Unchanged (S:U)—impact is confined to the user's account; and all three impact metrics (Confidentiality, Integrity, Availability) are High (C:H/I:H/A:H)—code execution permits data theft, system modification, and denial of service. The score appropriately reflects a serious but locally-scoped threat.

Frequently asked questions

Is this vulnerability being actively exploited in the wild?

No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation has been reported. However, the simplicity of the exploit technique and the prevalence of AllPlayer mean organizations should not assume the vulnerability is low-risk. Monitor threat intelligence feeds and patch promptly.

Can a remote attacker exploit this vulnerability?

No, this is a local vulnerability. An attacker must have local access to the system or be able to trick a user into opening a crafted URL within AllPlayer. It is not remotely exploitable over the network without prior compromise or user interaction.

What should I do if AllPlayer 7.4 is running on systems in my organization?

First, verify the version on affected systems using your asset management or software inventory tools. Check the AllPlayer vendor's official website or security advisory for a patched version. Plan an upgrade campaign prioritizing high-risk users. In the interim, restrict users from opening untrusted URLs in the application and educate them about the risk. If AllPlayer is not critical, consider uninstalling it in favor of an alternative media player.

Does enabling Windows security features help mitigate this vulnerability?

Partially. Modern Windows protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) can make SEH-based code execution more difficult, but they do not eliminate the vulnerability. Patching remains the most reliable mitigation. Ensure DEP is enabled and Windows is fully updated as a defense-in-depth measure.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and risk prioritization. The information herein is based on available CVE data and industry best practices, but is not a substitute for vendor advisories or your organization's own security testing. Always consult the official AllPlayer vendor security advisory before implementing patches or mitigations. Specific patch version numbers should be verified against authoritative vendor sources. This document does not constitute legal advice, and organizations should align remediation efforts with their own risk management policies and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).