Cyber Resilience

CVE-2017-20220

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2017-20220 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Securitylab (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

Serviio PRO 1.8 is affected by CVE-2017-20220, an improper access control vulnerability (CWE-306) in its Configuration REST API. This flaw allows unauthenticated attackers to modify the mediabrowser login password by sending specially crafted requests to the API endpoints without any authentication requirements. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges needed. By targeting the REST API endpoints with crafted requests, they can alter mediabrowser credentials, enabling subsequent unauthorized access to protected media browsing features.

Advisories and proof-of-concept details are documented in references such as SecurityLab, SecuriTeam blogs, CXSecurity, IBM X-Force Exchange, and PacketStorm, though specific patch or mitigation guidance is not detailed in the primary CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Direct unauthenticated exploitation of public REST API (T1190) to manipulate account credentials (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-6260Shared CWE-306
CVE-2025-40736Shared CWE-306
CVE-2025-26347Shared CWE-306
CVE-2026-1670Shared CWE-306
CVE-2025-26359Shared CWE-306
CVE-2025-26341Shared CWE-306
CVE-2026-27012Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306

Affected Assets

Securitylab
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification and limitation of actions permitted without authentication, preventing unauthenticated changes to mediabrowser credentials via the REST API.

prevent

Enforces approved authorizations for access to system resources, blocking unauthenticated attackers from modifying passwords through crafted API requests.

prevent

Requires identification and authentication for non-organizational users accessing the system, mitigating remote unauthenticated exploitation of the Configuration REST API.

References