CVE-2022-24562

CRITICAL

IOBit IOTransfer 4.3.1.1561 - RCE

Title source: llm

Description

In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

Exploits (1)

exploitdb WORKING POC

by Tomer Peled · pythonremotewindows

https://www.exploit-db.com/exploits/50974

View Code ZIP pw:eip

References (4)

[Product, Vendor Advisory] http://iobit.com

[Broken Link] http://iotransfer.com

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.html

[Various Sources] https://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d

Scores

CVSS v3 9.8

EPSS 0.4916

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (1)

iobit/iotransfer 4.3.1.1561

Published Jun 16, 2022

Tracked Since Feb 18, 2026