CVE-2019-25628

Download Accelerator Plus (DAP) version 10.0.6.0 is affected by CVE-2019-25628, a structured exception handler (SEH) buffer overflow vulnerability classified under CWE-787 (Out-of-bounds Write). The flaw occurs when the application processes specially crafted URLs through its web page import functionality, allowing overflowing buffer data to overwrite SEH pointers and trigger execution of embedded shellcode. This remote code execution vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with no user interaction or privileges required.

Remote attackers can exploit this vulnerability by creating malicious URLs containing buffer overflow payloads, which victims import via DAP's web page import feature. Successful exploitation leads to arbitrary code execution on the target's system with the privileges of the DAP process, potentially enabling full system compromise, data theft, or malware deployment. The attack requires no authentication and has low complexity, making it highly practical against unpatched installations.

Advisories and references, including those from Vulncheck and Exploit-DB (exploit 46673), document the vulnerability and provide proof-of-concept details, confirming remote code execution via SEH overwrite. Vendor pages from Speedbit (DAP developer) are referenced but do not specify patches or mitigations in the available information. Security practitioners should advise users to discontinue use of DAP 10.0.6.0 or seek updates, while monitoring for exploitation attempts targeting this outdated download manager.