cbcvebase.
CVE-2022-24627
published 2023-05-29

CVE-2022-24627: An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.39%
97.8th percentile
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.

Affected

1 ranges
VendorProductVersion rangeFixed in
audiocodesdevice_manager_express<= 7.8.20002.47752

Detection & IOCsextracted from sources · hover to see the quote

path/admin/AudioCodes_files/process_login.php
commandusername=admin&password=&domain=&p=%5C%27or+1%3D1%23
path/admin/AudioCodes_files/BrowseFiles.php
path/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh
path/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php
path/region/
pathC:/audiocodes/express/WebAdmin/region/
sigma
words: ['SQL syntax', 'mysql_fetch', 'You have an error in your SQL syntax']
  • Detect SQLi exploitation attempts against the login form by monitoring POST requests to /admin/AudioCodes_files/process_login.php with the 'p' parameter containing SQL injection payloads (e.g., URL-encoded quote/OR/comment sequences).
  • Alert on HTTP responses from AudioCodes Device Manager containing SQL error strings such as 'SQL syntax', 'mysql_fetch', or 'You have an error in your SQL syntax', which indicate successful SQLi triggering.
  • Monitor POST requests to /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh with body containing 'ssh_command=' as an indicator of post-exploitation remote command execution (CVE-2022-24631).
  • Monitor POST requests to /admin/AudioCodes_files/ajax/ajaxGlobalSettings.php with action=saveext and a modified extensions list as an indicator of file-upload extension whitelisting for webshell upload.
  • Detect webshell upload by monitoring POST requests to the upload endpoint with 'dir' set to 'C:/audiocodes/express/WebAdmin/region/' and file content-type 'text/html'.
  • Use Shodan/FOFA queries to identify exposed AudioCodes Device Manager Express instances as attack surface: title:"Audiocodes" or http.title:"audiocodes".
  • ·The exploit targets AudioCodes Device Manager Express version 7.8.20002.47752 specifically; the product was announced EOL on 07-02-2022, meaning no patch will be issued by the vendor.
  • ·The Nuclei template uses a two-step flow: first confirming the target is an AudioCodes instance (body contains 'audiocodes'), then sending the SQLi payload — detections should account for this two-request pattern.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.