CVE-2017-20220

HIGH

Serviio PRO 1.8 Unauthenticated Password Change via REST API

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-20220. PoCs published by LiquidWorm.

AI-analyzed exploit summary This Python script exploits an unauthenticated password modification vulnerability in Serviio PRO 1.8 DLNA Media Streaming Server by sending a crafted PUT request to the REST API endpoint to change the login password for the mediabrowser protected page.

Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · pythonwebappsjava

https://www.exploit-db.com/exploits/41960

View Code ZIP pw:eip

This Python script exploits an unauthenticated password modification vulnerability in Serviio PRO 1.8 DLNA Media Streaming Server by sending a crafted PUT request to the REST API endpoint to change the login password for the mediabrowser protected page.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Serviio PRO 1.8.0.0, 1.7.1, 1.7.0, 1.6.1

No auth needed

Prerequisites: network access to the target server · Serviio REST API endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory third-party-advisory

Zero Science Lab Disclosure

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php

Third Party Advisory third-party-advisory

SecuriTeam Blogs

https://blogs.securiteam.com/index.php/archives/3094

Exploit exploit

Exploit-DB

https://www.exploit-db.com/exploits/41960/

Exploit exploit

Packet Storm Security

https://packetstormsecurity.com/files/142386

Third Party Advisory third-party-advisory

CXSecurity

https://cxsecurity.com/issue/WLB-2017050025

Third Party Advisory third-party-advisory

SecurityLab

http://www.securitylab.ru/poc/486047.php

Vdb Entry vdb-entry

IBM X-Force Exchange

https://exchange.xforce.ibmcloud.com/vulnerabilities/125645

Third Party Advisory third-party-advisory

VulnCheck Advisory: Serviio PRO 1.8 Unauthenticated Password Change via REST API

https://www.vulncheck.com/advisories/serviio-pro-unauthenticated-password-change-via-rest-api

Scores

CVSS v3 7.5

EPSS 0.0040

EPSS Percentile 31.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (4)

Serviio/Serviio PRO 1.6.1

Serviio/Serviio PRO 1.7.0

Serviio/Serviio PRO 1.7.1

Serviio/Serviio PRO 1.8.0.0 PRO

Published Mar 16, 2026

Tracked Since Mar 16, 2026