CVE-2019-25330 – SurfOffline Professional 2.2.0.103 contains a s... (How to Fix)

Q: What is the severity of CVE-2019-25330?

CVE-2019-25330 has a CVSS score of 7.5 (HIGH). SurfOffline Professional 2.2.0.103 contains a structured exception handler overflow vulnerability in project name input. Attackers can crash the application via denial of service by sending a malicious payload. Users of this specific software version are affected.

📋 TL;DR

SurfOffline Professional 2.2.0.103 contains a structured exception handler overflow vulnerability in project name input. Attackers can crash the application via denial of service by sending a malicious payload. Users of this specific software version are affected.

💻 Affected Systems

Products:

SurfOffline Professional

Versions: 2.2.0.103

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific version is confirmed vulnerable; other versions may also be affected but not confirmed

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash and denial of service, potentially allowing arbitrary code execution if combined with other vulnerabilities

🟠

Likely Case

Application crash and denial of service, disrupting legitimate users' ability to use the software

🟢

If Mitigated

No impact if software is patched or not in use

🌐 Internet-Facing: LOW - This is client-side software, not typically internet-facing

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or through social engineering

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB; requires local access or file manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://web.archive.org/web/20190717003929/http://www.bimesoft.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer version if available or discontinuing use.

🔧 Temporary Workarounds

Input Validation

windows

Implement strict input validation for project name field to prevent buffer overflow

Application Sandboxing

windows

Run SurfOffline in restricted user context or sandbox to limit impact

🧯 If You Can't Patch

Discontinue use of SurfOffline Professional 2.2.0.103
Implement network segmentation to limit access to systems running vulnerable software

🔍 How to Verify

Check if Vulnerable:

Check Help > About in SurfOffline to confirm version 2.2.0.103

Check Version:

Check application properties or Help > About menu

Verify Fix Applied:

Verify software is no longer version 2.2.0.103 or has been removed

📡 Detection & Monitoring

Log Indicators:

Application crash logs with exception code 0xC0000005 (ACCESS_VIOLATION)
Unexpected termination of surfoffline.exe

Network Indicators:

No network indicators - local exploitation only

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="surfoffline.exe"

📊 Metadata

CVE ID: CVE-2019-25330

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: February 12, 2026

Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25330, you might also want to check these: