CVE-2022-32270

moderate-risk
Published 2022-06-03

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Do I need to act?

~
4.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Realplayer
Realplayer

Affected Vendors

Realnetworks

References (4)

Exploit https://github.com/Edubr2020/RP_Import_RCE
Exploit https://youtu.be/CONlijEgDLc
Exploit https://github.com/Edubr2020/RP_Import_RCE
Exploit https://youtu.be/CONlijEgDLc
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 7/34 · Low