CVE-2022-23748 Overview
CVE-2022-23748 is a DLL sideloading vulnerability in mDNSResponder.exe, a component of the Audinate Dante Discovery suite shipped with the Dante Application Library on Windows. The executable improperly specifies how and from where dependent DLLs are loaded. An attacker with local access can place a malicious DLL in a directory searched by the legitimate signed binary. When mDNSResponder.exe runs, it loads the attacker-controlled library and executes code in the context of the trusted process. CISA has added this issue to the Known Exploited Vulnerabilities catalog, confirming exploitation in the wild against deployments that bundle Dante Discovery.
Critical Impact
Attackers abuse a trusted, signed Audinate executable to load arbitrary DLLs, gaining code execution under the privileges of mDNSResponder.exe and bypassing application allowlisting that trusts the signed binary.
Affected Products
- Audinate Dante Application Library (Dante Discovery component, mDNSResponder.exe)
- Microsoft Windows hosts running Dante Discovery
- Third-party audio and broadcast applications that bundle Audinate Dante Discovery
Discovery Timeline
- 2022-11-17 - CVE-2022-23748 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2022-23748
Vulnerability Analysis
The vulnerability is a classic DLL sideloading issue mapped to [CWE-427] Uncontrolled Search Path Element and [CWE-426] Untrusted Search Path, with effects categorized as [CWE-114] Process Control. mDNSResponder.exe resolves one or more dependent DLLs by unqualified name. Windows applies its standard DLL search order, which includes the directory containing the executable before system locations under default conditions. An attacker who can write a crafted DLL to that directory, or who repackages the application in a writable path, causes the trusted process to load malicious code at startup.
Because the loading process is signed by Audinate, security tools that rely on signature trust or parent-process reputation may treat the malicious activity as benign. The vulnerability requires local access and user interaction to launch the affected application, but it produces high impact on confidentiality, integrity, and availability once triggered.
Root Cause
The root cause is the executable's failure to use a fully qualified path or a hardened search policy (such as LOAD_LIBRARY_SEARCH_SYSTEM32 or SetDefaultDllDirectories) when loading its dependencies. This delegates DLL resolution to the default Windows search order, which trusts the application's own directory before validated system paths.
Attack Vector
Exploitation requires a local foothold and the ability to write to the directory hosting mDNSResponder.exe or to an application directory that bundles it. The attacker drops a DLL with a name matching one of the binary's lookups. When a user, scheduled task, or service launches the audio application, mDNSResponder.exe loads the malicious DLL and executes attacker code under the same privilege level. The technique is commonly used for persistence, defense evasion, and privilege retention because the parent binary remains validly signed.
No verified public exploitation code is referenced in the advisories. See the Audinate Security Response CVE-2022-23748 and Checkpoint Vulnerability CPRID-2193 for technical details.
Detection Methods for CVE-2022-23748
Indicators of Compromise
- Unsigned or non-Audinate signed DLLs located alongside mDNSResponder.exe in the Dante Discovery installation directory.
- mDNSResponder.exe loading DLLs from non-standard paths instead of C:\Windows\System32 or the canonical Audinate install path.
- Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by mDNSResponder.exe.
- Outbound network connections initiated by mDNSResponder.exe to destinations unrelated to multicast DNS discovery.
Detection Strategies
- Hunt for image-load events where mDNSResponder.exe maps a DLL whose signer is not Audinate or Microsoft.
- Alert on file write operations creating DLL files inside Dante Discovery directories by processes other than the official installer.
- Correlate process-start telemetry to flag anomalous child processes or scripting hosts launched by mDNSResponder.exe.
Monitoring Recommendations
- Forward Sysmon Event ID 7 (Image Loaded) and Event ID 11 (File Create) from endpoints running Dante Discovery to a centralized analytics platform.
- Baseline the legitimate DLL load set of mDNSResponder.exe and alert on deviations.
- Track CISA KEV catalog updates and prioritize endpoints that match the affected CPE for audinate:dante_application_library.
How to Mitigate CVE-2022-23748
Immediate Actions Required
- Inventory all Windows hosts running Audinate Dante Discovery or third-party audio products that bundle mDNSResponder.exe and identify vulnerable versions.
- Update Dante Discovery to the fixed release distributed by Audinate, as referenced in the vendor advisory.
- Restrict write permissions on the Dante Discovery installation directory so non-administrative users cannot drop DLLs alongside mDNSResponder.exe.
- Treat this CVE as actively exploited based on its CISA KEV listing and prioritize remediation accordingly.
Patch Information
Audinate has released an updated Dante Discovery package that addresses the DLL sideloading flaw. Refer to the Audinate Security Response CVE-2022-23748 for fixed version details and downstream OEM guidance. Application vendors that embed Dante Discovery must redistribute updated installers to their own customers.
Workarounds
- Remove Dante Discovery from systems that do not require Dante audio networking until a patched version is deployed.
- Enforce strict NTFS ACLs on the Dante installation folder, granting write access only to SYSTEM and Administrators.
- Deploy application control policies (Windows Defender Application Control or AppLocker) that block unsigned DLLs from loading into mDNSResponder.exe.
- Monitor and block execution of mDNSResponder.exe from non-standard paths using endpoint policy.
# Example: restrict the Dante Discovery directory using icacls
icacls "C:\Program Files\Audinate\Dante Discovery" /inheritance:r
icacls "C:\Program Files\Audinate\Dante Discovery" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
