CVE-2023-3722
published 2023-07-19CVE-2023-3722: An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
3.33%
87.1th percentile
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avaya | aura_device_services | < 8.1.4.1 | 8.1.4.1 |
| avaya | aura_device_services | <= 8.1.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uses HTTP PUT to upload a PHP webshell to /PhoneBackup/<random>.php, followed by a GET request to execute it. Detect unauthenticated HTTP PUT requests targeting paths under /PhoneBackup/ with a .php extension. ↗
- →Successful file creation is confirmed by a 201 response containing the string 'Resource /PhoneBackup/<filename>.php has been created.' — alert on this response pattern in web server logs. ↗
- →Exploit requests use the custom User-Agent string 'AVAYA'. Monitor for HTTP requests to /PhoneBackup/ with this User-Agent, especially PUT and GET methods. ↗
- →After upload, the attacker GETs the uploaded PHP file with a base64-encoded parameter (?input=<base64>) to trigger code execution. Detect GET requests to /PhoneBackup/*.php with query parameters on Avaya Aura Device Services hosts. ↗
- →Identify exposed Avaya Aura Device Services instances via Shodan or FOFA using the fingerprint 'Avaya Aura® Utility Services' in the HTML body. ↗
- ·The vulnerability affects Avaya Aura Device Services version 8.1.4.0 and earlier only. Scope detection rules to confirmed affected versions. ↗
- ·The exploit is unauthenticated (PR:N), meaning no credentials are required. Any internet-exposed instance is at risk without additional network controls. ↗
- ·The Nuclei template is marked 'intrusive' — running it against production systems will create actual PHP files in the /PhoneBackup/ directory. Ensure cleanup procedures are in place during testing. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hq7j-vpf8-c785: An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web s
ghsa_unreviewed·2023-07-19
CVE-2023-3722 [CRITICAL] CWE-434 GHSA-hq7j-vpf8-c785: An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web s
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
VulnCheck
avaya aura_device_services Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 8.6
CVE-2023-3722 [HIGH] avaya aura_device_services Unrestricted Upload of File with Dangerous Type
avaya aura_device_services Unrestricted Upload of File with Dangerous Type
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
Affected: avaya aura_device_services
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf; https://www.rapid7.com/globalassets/_pdfs/research/rapid7_2024_attack_intelligence_report.pdf; https://api.vulncheck.com/v3/index/vulncheck-can
No detection rules found.
Nuclei
Avaya Aura Device Services - OS Command Injection
nuclei·CVSS 9.8
CVE-2023-3722 [CRITICAL] Avaya Aura Device Services - OS Command Injection
Avaya Aura Device Services - OS Command Injection
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
Template:
id: CVE-2023-3722
info:
name: Avaya Aura Device Services - OS Command Injection
author: iamnoooob,pdresearch
severity: high
description: |
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
impact: |
Unauthenticated attackers can upload malicious PHP fi
2023-07-19
Published
Exploited in the wild