CVE-2025-34127
Achat v0.150 SEH Buffer Overflow via UDP
Vexday Risk Score
63High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 1.1%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
18 Dec 2014Metasploit module available
16 Jul 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A stack-based buffer overflow exists in Achat v0.150 in its default configuration. By sending a specially crafted message to the UDP port 9256, an attacker can overwrite the structured exception handler (SEH) due to insufficient bounds checking on user-supplied input leading to remote code execution.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Achat Software · Achat Chat Serverpublic PoCs found — 2
cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/achat_bof.rbunverifiedcve_referencewww.exploit-db.com/exploits/36056unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →