Cyber Resilience

CVE-2017-20217

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0066 46.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2017-20217 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Securitylab (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2017-20217 is an information disclosure vulnerability in Serviio PRO 1.8 due to improper access control enforcement in the Configuration REST API. This issue, mapped to CWE-306 (Missing Authentication for Critical Function), enables unauthenticated attackers to access sensitive configuration data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity from its network reachability, low attack complexity, lack of required privileges, and substantial confidentiality impact without integrity or availability effects. It was published on 2026-03-16T14:17:51.090.

Remote, unauthenticated attackers can exploit this vulnerability by sending specially crafted requests to the Configuration REST API endpoints. Successful exploitation allows retrieval of potentially sensitive configuration information without any authentication requirements, potentially exposing internal system details or credentials configured in Serviio PRO.

Advisories and additional details on mitigation or patches are available in the referenced sources, including http://www.securitylab.ru/poc/486048.php, https://blogs.securiteam.com/index.php/archives/3094, https://cxsecurity.com/issue/WLB-2017050022, https://exchange.xforce.ibmcloud.com/vulnerabilities/125646, and https://packetstormsecurity.com/files/142383.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to…

more

retrieve potentially sensitive configuration data without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Direct remote unauthenticated exploit of public REST API (T1190); exposes config data including potential credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53118Shared CWE-306
CVE-2026-3323Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306

Affected Assets

Securitylab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the improper access control enforcement that allows unauthenticated retrieval of sensitive configuration data via the REST API.

prevent

AC-14 explicitly identifies and authorizes only minimal user actions without identification or authentication, preventing exposure of sensitive Configuration REST API endpoints to unauthenticated attackers.

prevent

IA-9 requires identification and authentication mechanisms for services consistent with their criticality, ensuring the Configuration REST API demands authentication before disclosing sensitive data.

References