CVE-2022-32270

CRITICAL

Realnetworks Realplayer - Path Traversal

Title source: rule

Description

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

References (2)

[Exploit, Third Party Advisory] https://github.com/Edubr2020/RP_Import_RCE

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://youtu.be/CONlijEgDLc

Scores

CVSS v3 9.8

EPSS 0.0406

EPSS Percentile 88.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-22

Status published

Affected Products (2)

realnetworks/realplayer

realnetworks/realplayer

Timeline

Published Jun 03, 2022

Tracked Since Feb 18, 2026