cbcvebase.
CVE-2022-24630
published 2023-05-29

CVE-2022-24630: An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an ssh_command field…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
23.89%
97.5th percentile
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an ssh_command field that is executed.

Affected

1 ranges
VendorProductVersion rangeFixed in
audiocodesdevice_manager_express<= 7.8.20002.47752

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{target}/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh
path/admin/AudioCodes_files/BrowseFiles.php
path/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php
pathC:/audiocodes/express/WebAdmin/region/
urlhttp://{target}/region/{file}?{param}=dir
urlhttp://{target}/admin/AudioCodes_files/BrowseFiles.php?view={file}
commandssh_command=<command>
  • Detect POST requests to BrowseFiles.php with the query parameter cmd=ssh; the POST body will contain the field ssh_command carrying the injected OS command.
  • Monitor POST requests to /admin/AudioCodes_files/ajax/ajaxGlobalSettings.php with body parameter action=saveext and a non-standard file extension appended to the extensions list (e.g., .php, .phtml), indicating an attacker whitelisting a webshell extension.
  • Monitor for file uploads to the /region/ web-accessible directory on AudioCodes Device Manager Express, particularly files with content-type text/html, which may be backdoor webshells.
  • Alert on GET requests to /admin/AudioCodes_files/BrowseFiles.php with a view= parameter containing an absolute Windows path (e.g., c:\windows\win.ini), indicating arbitrary file read exploitation (CVE-2022-24632).
  • ·The exploit targets AudioCodes Device Manager Express version 7.8.20002.47752 specifically; the vendor announced product EOL on 07-02-2022, meaning no patch will be issued and exposed instances remain permanently vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.