Description
A buffer overflow vulnerability exists in the X360 VideoPlayer ActiveX control (VideoPlayer.ocx) version 2.6 when handling overly long arguments to the ConvertFile() method. An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and execute arbitrary code within the context of the current process.
Published: 2025-07-16
Score: 8.6 High
EPSS: 52.1% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A buffer overflow occurs in X360 VideoPlayer ActiveX Control (VideoPlayer.ocx) version 2.6 when the ConvertFile() method processes excessively long arguments. The overflow corrupts memory and allows an attacker to execute arbitrary code in the context of the current process. This type of flaw is a classic stack-based buffer overflow (CWE-120) and may also allow injection of malicious code (CWE-94), enabling remote code execution and full compromise of the affected system.

Affected Systems

The vulnerability affects the X360Soft X360 VideoPlayer ActiveX Control released by X360Soft. The specific vulnerable version is 2.6. Systems running this ActiveX control, typically within Internet Explorer or other browsers that support ActiveX, are at risk. No other versions are currently listed as affected.

Risk and Exploitability

With a CVSS score of 8.6, the flaw is classified as high severity. An EPSS score of 52% indicates a high likelihood of exploitation in the wild, and there are documented proof‑of‑concept exploits in Metasploit and Exploit‑DB. The attack vector is likely through malicious web content that loads the ActiveX control and calls ConvertFile() with a crafted argument. Because the payload runs in the context of the current process, it can lead to full system takeover. The vulnerability is not yet listed in the CISA KEV catalog, but the presence of public exploits and the high EPSS suggest a significant threat.

Generated by OpenCVE AI on April 22, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor-published patch or upgrade to the latest version of X360 VideoPlayer ActiveX Control that resolves the ConvertFile() buffer overflow.
  • Disable or uninstall the X360 VideoPlayer ActiveX Control on all machines that do not require it, using browser settings or Group Policy to block the control.
  • As an interim measure, restrict browsers to use protected mode or disable ActiveX features entirely, and employ endpoint protection that detects and blocks the known exploit payloads.

Generated by OpenCVE AI on April 22, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21743 A buffer overflow vulnerability exists in the X360 VideoPlayer ActiveX control (VideoPlayer.ocx) version 2.6 when handling overly long arguments to the ConvertFile() method. An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and execute arbitrary code within the context of the current process.
History

Thu, 17 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 21:45:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
Description A buffer overflow vulnerability exists in the X360 VideoPlayer ActiveX control (VideoPlayer.ocx) version 2.6 when handling overly long arguments to the ConvertFile() method. An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and execute arbitrary code within the context of the current process.
Title X360 VideoPlayer ActiveX Control Buffer Overflow via ConvertFile()
Weaknesses CWE-120
CWE-94
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:47.863Z

Reserved: 2025-04-15T19:15:22.561Z

Link: CVE-2025-34128

cve-icon Vulnrichment

Updated: 2025-07-17T13:45:03.820Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T22:15:24.410

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses