Login Sign Up

CVE-2022-28381

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-28381 is a critical stack-based buffer overflow vulnerability in ALLMediaServer 1.6's mediaserver.exe component. Attackers can send a specially crafted long string to TCP port 888 to execute arbitrary code remotely. This affects anyone running the vulnerable ALLMediaServer version.

💻 Affected Systems

Products:
  • ALLMediaServer
Versions: Version 1.6
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The mediaserver.exe component listens on TCP port 888 by default. No special configuration is needed for exploitation.

📦 What is this software?

Allmediaserver by Allmediaserver

View all CVEs affecting Allmediaserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, steal data, or create persistent backdoors.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or botnet recruitment.

🟢

If Mitigated

Denial of service if buffer overflow crashes the service without code execution.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via TCP port 888 without authentication.
🏢 Internal Only: HIGH - Even internally, any attacker with network access to port 888 can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available on GitHub and Packet Storm. The vulnerability is similar to CVE-2017-17932, suggesting attackers may adapt existing exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

No official patch is available. Consider the workarounds and mitigation steps below.

🔧 Temporary Workarounds

Block TCP port 888

windows

Use firewall rules to block inbound connections to TCP port 888 on affected systems.

netsh advfirewall firewall add rule name="Block ALLMediaServer Port" dir=in action=block protocol=TCP localport=888

Disable ALLMediaServer service

windows

Stop and disable the ALLMediaServer service to prevent exploitation.

sc stop ALLMediaServer
sc config ALLMediaServer start= disabled

🧯 If You Can't Patch

  • Segment network to isolate ALLMediaServer systems from untrusted networks
  • Implement strict network access controls to limit connections to port 888

🔍 How to Verify

Check if Vulnerable:

Check if ALLMediaServer version 1.6 is installed and mediaserver.exe is running on TCP port 888.

Check Version:

Check program files directory for ALLMediaServer version or examine installed programs in Control Panel.

Verify Fix Applied:

Verify that ALLMediaServer is no longer running or that port 888 is not listening.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from mediaserver.exe
  • Crash logs from ALLMediaServer service

Network Indicators:

  • Unusual traffic patterns to TCP port 888
  • Large strings sent to port 888

SIEM Query:

source="*" AND (destination_port=888 AND (payload_size>1000 OR contains(payload, "AAAAAAAA")))

📊 Metadata

CVE ID: CVE-2022-28381
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28381, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)