CVE-2022-24140

Vulnerability

Multiple IOBit products including Advanced System Care 15, iTop Screen Recorder 2.1, iTop VPN 3.2, Driver Booster 9, and iTop Screenshot communicate with their update servers over plain HTTP to download a configuration file that specifies the location of updates [1]. The products parse this HTTP response and use the location to fetch and install updates automatically with administrative privileges. Because the config file is transmitted without TLS, an attacker able to intercept the traffic can replace the legitimate config with a forged one pointing to malicious update payloads.

Exploitation

An attacker must be positioned on the network path between the affected IOBit product and its update server (e.g., on a shared Wi-Fi network, compromised router, or via ARP spoofing) to intercept the HTTP request for the config file [1]. No authentication is required; the attacker simply responds to the product's HTTP request with a crafted JSON or XML config file that contains a URL pointing to an attacker-controlled executable. The product then downloads and executes that executable with SYSTEM privileges because the update installer runs elevated.

Impact

Successful exploitation gives the attacker remote code execution on the target endpoint with full administrative rights [1]. This allows installation of malware, theft of sensitive data, or complete compromise of the system's integrity and availability.

Mitigation

No official patch has been announced for any of the affected products as of the publication date [1][3]. Users should avoid using these products on untrusted networks or apply network-level filtering to intercept and inspect update traffic. The vendor (IObit) has not communicated a fixed version or workaround in the references provided.