CVE-2022-24629
published 2023-05-29CVE-2022-24629: An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.25%
98.3th percentile
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| audiocodes | device_manager_express | <= 7.8.20002.47752 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal in the 'dir' POST parameter of BrowseFiles.php file upload requests; payloads will contain path strings traversing to web-accessible directories (e.g. C:/audiocodes/express/WebAdmin/region/). ↗
- →Alert on POST requests to /admin/AudioCodes_files/BrowseFiles.php containing multipart file uploads with a .php extension, indicating webshell upload attempts. ↗
- →Monitor POST requests to /admin/AudioCodes_files/ajax/ajaxGlobalSettings.php with body parameter 'action=saveext' and 'extensions' values containing non-standard extensions (e.g. .php), indicating an attacker whitelisting a malicious file extension. ↗
- →Detect GET requests to /admin/AudioCodes_files/BrowseFiles.php with a 'view' parameter containing absolute file paths (e.g. c:\windows\win.ini), indicating exploitation of CVE-2022-24632 arbitrary file read. ↗
- →Detect POST requests to /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh with body parameter 'ssh_command=', indicating remote command execution via CVE-2022-24631. ↗
- →Watch for new .php files appearing under the web-accessible /region/ directory on AudioCodes Device Manager Express hosts, which would indicate a successfully planted webshell. ↗
- ·The vulnerability affects AudioCodes Device Manager Express through version 7.8.20002.47752 only; the product was announced EOL on 07-02-2022, meaning no patch will be issued and affected deployments should be isolated or decommissioned. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-05-29
Published