CVE-2022-24562 – CVE-2022-24562 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2022-24562?

CVE-2022-24562 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24562 allows unauthenticated attackers to send GET/POST requests to Airserv in IOBit IOTransfer, granting them full file-system read/write access with admin privileges. This can lead to data theft and remote code execution. All users running the vulnerable version of IOTransfer are affected.

📋 TL;DR

CVE-2022-24562 allows unauthenticated attackers to send GET/POST requests to Airserv in IOBit IOTransfer, granting them full file-system read/write access with admin privileges. This can lead to data theft and remote code execution. All users running the vulnerable version of IOTransfer are affected.

💻 Affected Systems

Products:

IOBit IOTransfer

Versions: 4.3.1.1561 and likely earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The Airserv component appears to be enabled by default, making all installations vulnerable out-of-the-box.

📦 What is this software?

Iotransfer by Iobit

View all CVEs affecting Iotransfer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise: attacker gains full administrative control, steals all data, installs persistent malware, and uses the system as a pivot point for further attacks.

🟠

Likely Case

Data exfiltration and remote code execution leading to ransomware deployment, credential theft, or system takeover.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and endpoint protection blocks malicious payloads.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers on the internet to compromise vulnerable systems.

🏢 Internal Only: HIGH - Even internally, any network-accessible vulnerable system can be compromised by attackers on the same network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code and detailed write-ups exist, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version (check vendor site)

Vendor Advisory: http://iobit.com

Restart Required: Yes

Instructions:

1. Open IOTransfer. 2. Click 'Menu' → 'Check for Updates'. 3. Follow prompts to install latest version. 4. Restart computer.

🔧 Temporary Workarounds

Block Airserv Port

windows

Block network access to the Airserv component using firewall rules

netsh advfirewall firewall add rule name="Block IOTransfer Airserv" dir=in action=block protocol=TCP localport=8080

Uninstall IOTransfer

windows

Remove vulnerable software entirely

Control Panel → Programs → Uninstall IOTransfer

🧯 If You Can't Patch

Segment network to isolate systems running IOTransfer from internet and critical internal networks
Implement strict endpoint detection and response (EDR) rules to monitor for suspicious file system access patterns

🔍 How to Verify

Check if Vulnerable:

Check if IOTransfer version is 4.3.1.1561 or earlier and Airserv service is running on port 8080

Check Version:

Open IOTransfer → Menu → About

Verify Fix Applied:

Confirm IOTransfer version is updated beyond 4.3.1.1561 and Airserv service is no longer accessible

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from IOTransfer process
Network connections to port 8080 from unexpected sources

Network Indicators:

HTTP GET/POST requests to port 8080 with file system paths
Unusual outbound traffic following IOTransfer exploitation

SIEM Query:

source_port=8080 AND (http_method=GET OR http_method=POST) AND url_path CONTAINS "/airserv/"

📊 Metadata

CVE ID: CVE-2022-24562

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: June 16, 2022

Last Updated: November 21, 2024

🔗 References

http://iobit.com Product,Vendor Advisory
http://iotransfer.com Broken Link
http://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d
http://iobit.com Product,Vendor Advisory
http://iotransfer.com Broken Link
http://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24562, you might also want to check these: