CVE-2022-24627 – CVE-2022-24627 is an unauthenticated SQL inject... (How to Fix)

Q: What is the severity of CVE-2022-24627?

CVE-2022-24627 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24627 is an unauthenticated SQL injection vulnerability in AudioCodes Device Manager Express login form. Attackers can execute arbitrary SQL commands without credentials, potentially compromising the entire system. Organizations using AudioCodes Device Manager Express versions through 7.8.20002.47752 are affected.

📋 TL;DR

CVE-2022-24627 is an unauthenticated SQL injection vulnerability in AudioCodes Device Manager Express login form. Attackers can execute arbitrary SQL commands without credentials, potentially compromising the entire system. Organizations using AudioCodes Device Manager Express versions through 7.8.20002.47752 are affected.

💻 Affected Systems

Products:

AudioCodes Device Manager Express

Versions: Through 7.8.20002.47752

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable version are affected regardless of configuration.

📦 What is this software?

Device Manager Express by Audiocodes

View all CVEs affecting Device Manager Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including remote code execution, data exfiltration, and persistent backdoor installation leading to full network compromise.

🟠

Likely Case

Database compromise, credential theft, privilege escalation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF protection, and intrusion detection systems blocking SQL injection attempts.

🌐 Internet-Facing: HIGH - Unauthenticated exploit allows direct internet-based attacks without any credentials required.

🏢 Internal Only: HIGH - Even internally, the unauthenticated nature makes it trivial for attackers with network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public disclosure includes technical details making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 7.8.20002.47752

Vendor Advisory: https://www.audiocodes.com/support/security-advisories

Restart Required: Yes

Instructions:

1. Check current version using admin interface. 2. Download latest version from AudioCodes support portal. 3. Backup configuration. 4. Apply update following vendor documentation. 5. Restart services. 6. Verify update successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Device Manager Express to trusted IP addresses only

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Implement strict network segmentation to isolate Device Manager Express from critical systems
Deploy intrusion detection/prevention systems with SQL injection signatures monitoring the login endpoint

🔍 How to Verify

Check if Vulnerable:

Check version in admin interface or via web request to /process_login.php with SQL injection test payloads (use caution).

Check Version:

Check web interface or contact AudioCodes support for version verification

Verify Fix Applied:

Verify version is above 7.8.20002.47752 and test that SQL injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL syntax
Database connection errors

Network Indicators:

HTTP POST requests to /process_login.php containing SQL keywords
Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="/process_login.php" AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2022-24627

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 29, 2023

Last Updated: January 14, 2025

🔗 References

http://seclists.org/fulldisclosure/2023/Feb/12 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Feb/12 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24627, you might also want to check these: