Is there a public PoC exploit available for CVE-2017-20220?

Yes, a public proof-of-concept exploit is available for CVE-2017-20220. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2017-20220?

Within 24 hours: Identify all Serviio PRO 1.8 instances in your environment and isolate them from untrusted networks; disable external REST API access if not business-critical. Within 7 days: Implement network segmentation to restrict API access to authorized administrative networks only; enable monitoring/alerting for suspicious REST API requests. Within 30 days: Contact vendor for patch availability; evaluate alternative media server solutions; upgrade to patched version once available or decommission affected systems.

CVE-2017-20220

Q: What is the CVSS score of CVE-2017-20220?

CVE-2017-20220 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2017-18934 HIGH

Missing Authentication for Critical Function (CWE-306)

2026-03-15 VulnCheck

Authentication Bypass

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

7.5 (HIGH) 8.7 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 20:00 euvd

EUVD-2017-18934

Analysis Generated

Mar 15, 2026 - 20:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

HIGH 7.5

DescriptionNVD

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

AnalysisAI

An improper access control vulnerability in Serviio PRO 1.8's Configuration REST API allows unauthenticated remote attackers to change the mediabrowser login password without any authentication. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability trivially exploitable. The vulnerability affects Serviio PRO versions 1.6.1 through 1.8.0.0 PRO and represents a complete authentication bypass allowing full account takeover.

Technical ContextAI

Serviio PRO is a media server software that exposes a REST API for configuration management. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the password change endpoint in the Configuration REST API fails to verify if the request comes from an authenticated user. The CPE identifier cpe:2.3:a:serviio:serviio_pro:*:*:*:*:*:*:*:* indicates all versions are potentially affected, though EUVD specifically confirms versions 1.6.1, 1.7.0, 1.7.1, and 1.8.0.0 PRO. The REST API endpoint accepts specially crafted HTTP requests to modify user credentials without requiring any form of authentication token or session validation.

RemediationAI

No specific patch version or vendor advisory is mentioned in the provided references. Users should upgrade to a version newer than 1.8.0.0 PRO if available. As immediate mitigation, administrators should: 1) Restrict network access to the Serviio REST API using firewall rules, 2) Place the API behind authentication proxy or VPN, 3) Monitor for unauthorized password change attempts in logs. Contact Serviio support for official patch information as no vendor advisory link is present in the references. The Zero Science Labs advisory (ZSL-2017-5407) may contain additional remediation details.

CVE-2017-20220 vulnerability details – vuln.today

Back

CVE-2017-20220

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

CVE-2017-20220

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code