Is there a public PoC exploit available for CVE-2017-20217?

Yes, a public proof-of-concept exploit is available for CVE-2017-20217. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2017-20217?

Within 24 hours: Inventory all Serviio PRO 1.8 instances and immediately restrict network access to the Configuration REST API endpoints using firewall rules or WAF policies, allowing only trusted internal IP ranges. Within 7 days: Implement network segmentation to isolate Serviio services from untrusted networks and conduct configuration audits to identify any exposed sensitive data. Within 30 days: Plan upgrade to Serviio PRO 1.9 or later (if available and patched), or replace with alternative media server software with active security maintenance.

CVE-2017-20217

Q: What is the CVSS score of CVE-2017-20217?

CVE-2017-20217 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2017-18928 HIGH

Missing Authentication for Critical Function (CWE-306)

2026-03-15 VulnCheck

Authentication Bypass Information Disclosure

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

7.5 (HIGH) 8.7 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 20:00 euvd

EUVD-2017-18928

Analysis Generated

Mar 15, 2026 - 20:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

HIGH 7.5

DescriptionNVD

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.

AnalysisAI

An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.

Technical ContextAI

Serviio PRO is a media streaming server software that implements a REST API for configuration management. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the REST API endpoints fail to enforce authentication checks before serving configuration data. The affected versions include Serviio PRO 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO as identified by CPE cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:*. The REST API, designed for administrative configuration, inadvertently exposes sensitive server settings to any network-accessible attacker.

RemediationAI

Upgrade to Serviio PRO version newer than 1.8.0.0 if available. As an immediate workaround, restrict network access to the Serviio PRO REST API using firewall rules or access control lists to limit exposure to trusted networks only. Consider implementing a reverse proxy with authentication in front of the Serviio service. Monitor for unauthorized access attempts to REST API endpoints. The ZeroScience advisory (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php) may contain additional vendor-specific guidance.

CVE-2017-20217 vulnerability details – vuln.today

Back

CVE-2017-20217

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

CVE-2017-20217

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code