CVE-2024-48197
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Audiocodes MP-202b version 4.4.3 allows attackers to inject malicious scripts into the login page. When exploited, it enables privilege escalation by tricking administrators into executing attacker-controlled code. Organizations using this specific version of the MP-202b device are affected.
💻 Affected Systems
- Audiocodes MP-202b
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the device, potentially compromising the entire VoIP network, intercepting calls, or using the device as a pivot point into internal networks.
Likely Case
Attackers steal administrator session cookies or credentials, gaining unauthorized access to device configuration and potentially disrupting VoIP services.
If Mitigated
Attack attempts are logged but fail to execute due to input validation or output encoding protections.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires the attacker to trick an administrator into visiting a malicious link or the login page with injected payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://audiocodes.com
Restart Required: No
Instructions:
1. Check Audiocodes website for security advisories. 2. If patch available, download firmware update. 3. Backup configuration. 4. Upload and apply firmware update through web interface. 5. Verify version update.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or reverse proxy with XSS filtering for the MP-202b login page
Access Restriction
linuxRestrict access to the web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate the MP-202b device on a separate VLAN with strict network segmentation
- Disable the web interface entirely and use alternative management methods if available
🔍 How to Verify
Check if Vulnerable:
Access the web interface login page and attempt to inject basic XSS payloads like <script>alert('test')</script> into login form fieldsCheck Version:
Login to web interface and check System Information or About page for firmware versionVerify Fix Applied:
After applying any mitigation, test the same XSS payloads to confirm they are properly sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual login attempts with script-like characters in parameters
- Multiple failed login attempts from single IP followed by successful login
Network Indicators:
- HTTP requests to login page containing script tags or JavaScript code in parameters
- Unusual outbound connections from the MP-202b device
SIEM Query:
source="mp-202b" AND (uri="*login*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onload=*"))