CVE-2022-23748
published 2022-11-17CVE-2022-23748: mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In…
PriorityP279high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
9.09%
94.7th percentile
mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| audinate | dante_application_library | <= 1.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for DLL sideloading via mDNSResponder.exe — detect unexpected DLLs loaded from non-standard directories by this process, which is part of Audinate's Dante Discovery software. ↗
- →Detect spear-phishing delivery vector: ZIP attachments containing a signed executable paired with a malicious DLL exploiting CVE-2022-23748 to sideload the CurKeep backdoor. ↗
- →Hunt for the StylerServ passive listener: alert on processes listening on ports 60810–60814 and reading/writing XOR-encrypted 'stylers.bin' files. ↗
- →CurKeep backdoor (10kb) establishes persistence and beacons to C2; hunt for anomalously small (~10kb) DLL/EXE files achieving persistence via Run keys or services alongside mDNSResponder.exe execution. ↗
- →Detect CurCore behavior: monitor for processes creating files with arbitrary content, executing remote commands, or returning file contents base64-encoded to a remote host. ↗
- →Flag DLL sideloading chains involving legitimate VLC executables as a secondary sideloading vector used by the same ToddyCat threat actor in parallel campaigns. ↗
- ·The vulnerability is exploitable locally; a local attacker must be able to place a malicious DLL in a path searched by mDNSResponder.exe. Remote exploitation requires a prior delivery mechanism (e.g., spear-phishing ZIP). ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Dante Discovery Process Control Vulnerability
cisa·2025-02-06·CVSS 7.8
CVE-2022-23748 [HIGH] CWE-114 Dante Discovery Process Control Vulnerability
Vulnerability: Dante Discovery Process Control Vulnerability
Affected: Audinate Dante Discovery
Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.getdante.com/support/faq/audinate-response-to-dante-discovery-mdnsresponder-exe-security-issue-cve-2022-23748/ ; https://nvd.nist.gov/vuln/detail/CVE-2022-23748
Remediation Due Date: 2025-02-27
GHSA
GHSA-rc8f-8m86-p4vm: mDNSResponder
ghsa_unreviewed·2022-11-18
CVE-2022-23748 [HIGH] CWE-114 GHSA-rc8f-8m86-p4vm: mDNSResponder
mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.
VulnCheck
Dante Discovery Process Control Vulnerability
vulncheck·2022·CVSS 7.8
CVE-2022-23748 [HIGH] CWE-114 Dante Discovery Process Control Vulnerability
Dante Discovery Process Control Vulnerability
Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.
Affected: Audinate Dante Discovery
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-02-27
No detection rules found.
No public exploits indexed.
https://cpr-zero.checkpoint.com/vulns/cprid-2193/%2Chttps://www.audinate.com/learning/faqs/audinate-response-to-dante-discovery-mdnsresponder-exe-security-issue-cve-2022-23748https://cpr-zero.checkpoint.com/vulns/cprid-2193/%2Chttps://www.audinate.com/learning/faqs/audinate-response-to-dante-discovery-mdnsresponder-exe-security-issue-cve-2022-23748https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23748
2022-11-17
Published
2025-02-06
Added to CISA KEV
Exploited in the wild