CVE-2022-24629 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-24629?

CVE-2022-24629 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on AudioCodes Device Manager Express servers via directory traversal in file upload functionality. Attackers can upload PHP files to a specific directory, leading to complete system compromise. All systems running affected versions are vulnerable.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on AudioCodes Device Manager Express servers via directory traversal in file upload functionality. Attackers can upload PHP files to a specific directory, leading to complete system compromise. All systems running affected versions are vulnerable.

💻 Affected Systems

Products:

AudioCodes Device Manager Express

Versions: through 7.8.20002.47752

Operating Systems: All supported OS platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Device Manager Express by Audiocodes

View all CVEs affecting Device Manager Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/admin privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Web server compromise leading to data theft, service disruption, and use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload restrictions, and web application firewalls are in place.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internally, any user with network access can exploit this to gain full control of the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 7.8.20002.47752

Vendor Advisory: https://www.audiocodes.com/security-advisories

Restart Required: Yes

Instructions:

1. Download latest version from AudioCodes support portal. 2. Backup current configuration. 3. Install update following vendor documentation. 4. Restart services. 5. Verify fix by checking version.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Restrict access to BrowseFiles.php via web server configuration or firewall rules

# Apache: RewriteRule ^/WebAdmin/admin/AudioCodes_files/ajax/BrowseFiles\.php - [F,L]
# Nginx: location ~ /WebAdmin/admin/AudioCodes_files/ajax/BrowseFiles\.php { deny all; }

Disable PHP execution in upload directory

all

Prevent PHP file execution in the vulnerable directory

# Apache: <Location /WebAdmin/admin/AudioCodes_files/ajax> php_flag engine off </Location>
# Nginx: location ~ /WebAdmin/admin/AudioCodes_files/ajax/.*\.php$ { deny all; }

🧯 If You Can't Patch

Isolate the server in a dedicated network segment with strict firewall rules
Implement web application firewall with rules blocking directory traversal and PHP file uploads

🔍 How to Verify

Check if Vulnerable:

Check if BrowseFiles.php exists at /WebAdmin/admin/AudioCodes_files/ajax/ and test for directory traversal in dir parameter

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

Attempt exploitation with known PoC - should fail. Verify version is >7.8.20002.47752

📡 Detection & Monitoring

Log Indicators:

HTTP requests to BrowseFiles.php with ../ in parameters
File uploads to /WebAdmin/admin/AudioCodes_files/ajax/ directory
PHP file creation in unexpected locations

Network Indicators:

POST requests to BrowseFiles.php with file uploads
Unusual outbound connections from the server

SIEM Query:

source="web_server" AND (uri="*BrowseFiles.php*" AND (param="*../*" OR file_upload="true"))

📊 Metadata

CVE ID: CVE-2022-24629

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 29, 2023

Last Updated: January 14, 2025

🔗 References

http://seclists.org/fulldisclosure/2023/Feb/12 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2023/Feb/12 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24629, you might also want to check these: