cbcvebase.
CVE-2023-3722
published 2023-07-19

CVE-2023-3722: An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.33%
87.1th percentile
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.

Affected

2 ranges
VendorProductVersion rangeFixed in
avayaaura_device_services< 8.1.4.18.1.4.1
avayaaura_device_services<= 8.1.4.0

Detection & IOCsextracted from sources · hover to see the quote

path/PhoneBackup/{{filename}}.php
path/PhoneBackup/
othershodan:html:"Avaya Aura® Utility Services"
otherfofa:body="Avaya Aura® Utility Services"
  • Exploit uses HTTP PUT to upload a PHP webshell to /PhoneBackup/<random>.php, followed by a GET request to execute it. Detect unauthenticated HTTP PUT requests targeting paths under /PhoneBackup/ with a .php extension.
  • Successful file creation is confirmed by a 201 response containing the string 'Resource /PhoneBackup/<filename>.php has been created.' — alert on this response pattern in web server logs.
  • Exploit requests use the custom User-Agent string 'AVAYA'. Monitor for HTTP requests to /PhoneBackup/ with this User-Agent, especially PUT and GET methods.
  • After upload, the attacker GETs the uploaded PHP file with a base64-encoded parameter (?input=<base64>) to trigger code execution. Detect GET requests to /PhoneBackup/*.php with query parameters on Avaya Aura Device Services hosts.
  • Identify exposed Avaya Aura Device Services instances via Shodan or FOFA using the fingerprint 'Avaya Aura® Utility Services' in the HTML body.
  • ·The vulnerability affects Avaya Aura Device Services version 8.1.4.0 and earlier only. Scope detection rules to confirmed affected versions.
  • ·The exploit is unauthenticated (PR:N), meaning no credentials are required. Any internet-exposed instance is at risk without additional network controls.
  • ·The Nuclei template is marked 'intrusive' — running it against production systems will create actual PHP files in the /PhoneBackup/ directory. Ensure cleanup procedures are in place during testing.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.