CVE-2022-23748

What is Audinate Dante Discovery?

Audinate's Dante is a widely used proprietary audio-over-IP protocol standard for professional AV (audio-video) equipment, enabling real-time digital audio routing over standard IP networks. Dante Discovery is the software component of the Dante ecosystem responsible for device discovery and control on the network — it allows Dante-enabled devices (audio mixers, amplifiers, stagebox units, microphone systems) to find each other and be configured over IP. Dante Discovery is shipped as a component of the Dante Application Library (DAL), which is bundled into software products from hundreds of AV equipment manufacturers including Yamaha, Shure, Allen & Heath, Focusrite, and others. The Dante Application Library includes mDNSResponder.exe — an mDNS/Bonjour service binary — as part of its network discovery stack. Because DAL is embedded in many third-party products, a vulnerability in the shared library affects all of them simultaneously.

Overview

CVE-2022-23748 is a process control vulnerability (CWE-114 — DLL sideloading) in Audinate Dante Discovery's mDNSResponder.exe component. The vulnerability allows a local attacker to place a malicious DLL in a directory searched by mDNSResponder.exe before its standard system directories, causing the executable to load and execute the attacker's code when mDNSResponder.exe runs. Because Dante Discovery ships as a component in software from hundreds of AV equipment manufacturers, the vulnerability is present wherever the DAL is installed — across professional AV workstations, media production systems, and broadcast infrastructure. CISA added it to the KEV catalog in February 2025, over two years after initial publication.

Affected Versions

Note: The vulnerability is present in any software that bundles the vulnerable Dante Application Library. End users receive the fix through updates to the third-party AV software they use (Yamaha Dante Controller, Shure Wireless Workbench, etc.), not directly from Audinate.

Technical Details

DLL sideloading (CWE-114 — Process Control) exploits Windows' DLL search order: when an executable loads a DLL, Windows searches several directories in sequence before looking in system directories (C:\Windows\System32). If the executable's own directory or another early-priority path (e.g., the current working directory) is writable by a low-privilege user, an attacker can place a malicious DLL with the same name as a legitimately required DLL in that path.

The exploitation pattern for CVE-2022-23748:

1. Identify the DLL load path — mDNSResponder.exe (Bonjour's mDNS daemon) loads one or more DLLs from a directory that is writable by a standard (non-administrator) user account
2. Place a malicious DLL — write a crafted DLL with the expected name to the writable directory
3. Trigger DLL loading — cause mDNSResponder.exe to run (e.g., start the Dante Discovery service, or wait for the service to restart); Windows loads the malicious DLL from the writable directory instead of the legitimate system DLL
4. Execute arbitrary code — the malicious DLL's code executes in the security context of mDNSResponder.exe; if the service runs as SYSTEM or a privileged account, the attacker achieves privilege escalation

The UI:R (user interaction required) reflects that a trigger event — running or restarting the Dante Discovery service or its host application — is needed to cause the DLL to load.

Discovery

CVE-2022-23748 was published in November 2022. Audinate issued an advisory acknowledging the DLL sideloading issue in mDNSResponder.exe and coordinated with OEM partners to distribute updated DAL versions. The over-2-year gap between publication and CISA KEV addition reflects exploitation being confirmed in professional AV and media production environments where the vulnerable Dante Discovery component is widely deployed.

Exploitation Context

The Dante ecosystem's wide deployment in professional AV infrastructure makes CVE-2022-23748 noteworthy beyond its LOCAL attack vector:

• Broadcast studios, live performance venues, corporate AV installations, and educational media facilities all run Dante-enabled equipment; the DAL is present on operator workstations throughout these environments
• A DLL sideloading attack executed on an AV operator workstation can provide persistent elevated code execution without requiring any network access or exploitation of network-facing services
• The supply chain dimension — DAL distributed through hundreds of third-party AV software products — means the vulnerable component may be present on systems where users are unaware of it
• Professional AV workstations are often connected to both the Dante audio network and corporate/enterprise networks, making them potential lateral movement pivot points

Remediation

1. Update all Dante-enabled AV software — apply updates from each AV software vendor that bundles the Dante Application Library (Yamaha Dante Controller, Shure Wireless Workbench, etc.); the fix is distributed through the third-party products, not directly through Audinate.
2. Check Audinate's security advisory — Audinate published guidance on which DAL versions are affected and the remediation for each OEM product; contact AV vendors for specific update instructions.
3. Restrict write access to DLL search path directories — apply file system permissions to prevent standard user accounts from writing to directories searched by mDNSResponder.exe before system directories; this removes the DLL placement precondition.
4. Audit installed AV software — inventory all software components on workstations that may include the Dante Application Library; ensure each is updated to a version with the mDNSResponder.exe fix.
5. Apply least privilege to Dante services — configure Dante Discovery and related services to run under a dedicated low-privilege service account rather than SYSTEM, limiting the impact if the DLL sideloading is triggered.