cbcvebase.
CVE-2022-23748
published 2022-11-17

CVE-2022-23748: mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In…

PriorityP279high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
9.09%
94.7th percentile
mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.

Affected

1 ranges
VendorProductVersion rangeFixed in
audinatedante_application_library<= 1.2.0

Detection & IOCsextracted from sources · hover to see the quote

filenamemDNSResponder.exe
  • Monitor for DLL sideloading via mDNSResponder.exe — detect unexpected DLLs loaded from non-standard directories by this process, which is part of Audinate's Dante Discovery software.
  • Detect spear-phishing delivery vector: ZIP attachments containing a signed executable paired with a malicious DLL exploiting CVE-2022-23748 to sideload the CurKeep backdoor.
  • Hunt for the StylerServ passive listener: alert on processes listening on ports 60810–60814 and reading/writing XOR-encrypted 'stylers.bin' files.
  • CurKeep backdoor (10kb) establishes persistence and beacons to C2; hunt for anomalously small (~10kb) DLL/EXE files achieving persistence via Run keys or services alongside mDNSResponder.exe execution.
  • Detect CurCore behavior: monitor for processes creating files with arbitrary content, executing remote commands, or returning file contents base64-encoded to a remote host.
  • Flag DLL sideloading chains involving legitimate VLC executables as a secondary sideloading vector used by the same ToddyCat threat actor in parallel campaigns.
  • ·The vulnerability is exploitable locally; a local attacker must be able to place a malicious DLL in a path searched by mDNSResponder.exe. Remote exploitation requires a prior delivery mechanism (e.g., spear-phishing ZIP).

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.