cbcvebase.
CVE-2022-24562
published 2022-06-16

CVE-2022-24562: In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.07%
98.8th percentile
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
iobitiotransfer

Detection & IOCsextracted from sources · hover to see the quote

port7193
url/index.php?action=gettasklist&userid=*
url/index.php?action=createtask
url/index.php?action=settaskdetailbyindex&userid=*
url/index.php?action=newuploadfile&userid=*
url/index.php?action=setiotconfig
url/index.php?action=downloadfile&userid=*
url/index.php?action=getpcname&userid=*
path../Program Files (x86)/Google/Update/goopdate.dll
  • Detect unauthenticated HTTP requests to the IOTransfer Airserv API on TCP port 7193 with userid=* wildcard, which is the authentication bypass mechanism used in exploitation.
  • Alert on HTTP POST requests to /index.php?action=setiotconfig on port 7193, which is used to manipulate the task save path as part of the path traversal/write primitive.
  • Alert on HTTP POST to /index.php?action=newuploadfile on port 7193 with a binary body, indicating a file upload attempt to an arbitrary remote path.
  • Monitor for DLL files written to the Google Update directory (Program Files (x86)/Google/Update/goopdate.dll) from non-Google processes, as this is the DLL hijacking target used in the RCE chain.
  • Scan network for hosts listening on TCP 7193 responding to /index.php?action=getpcname to identify exposed IOTransfer Airserv instances.
  • The exploit uses path traversal in the savefilename field (e.g., '../Program Files...') within the settaskdetailbyindex POST body to write files outside the intended directory; inspect JSON POST bodies to this endpoint for traversal sequences.
  • ·The userid=* wildcard is accepted by the Airserv API without authentication, meaning no credentials are required to interact with any API endpoint. Any network-accessible host running IOTransfer on port 7193 is exploitable without prior access.
  • ·The exploit sets the task save path to 'C:\Program ' (with a trailing space) via setiotconfig before creating the upload task; this path manipulation is required to enable the path traversal write to arbitrary locations.
  • ·The RCE chain relies on DLL hijacking via goopdate.dll in the Google Update directory; execution is triggered when the Google Update service or a Google application loads the hijacked DLL.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.