CVE-2024-52884 – AudioCodes Mediant SBC devices before version 7... (How to Fix)

Q: What is the severity of CVE-2024-52884?

CVE-2024-52884 has a CVSS score of 7.5 (HIGH). AudioCodes Mediant SBC devices before version 7.40A.501.841 use weak password obfuscation in configuration exports, allowing attackers with access to exported INI files to decrypt stored passwords. This affects organizations using vulnerable AudioCodes SBC devices for VoIP/SIP traffic management. Attackers need access to configuration backups or exports to exploit this vulnerability.

📋 TL;DR

AudioCodes Mediant SBC devices before version 7.40A.501.841 use weak password obfuscation in configuration exports, allowing attackers with access to exported INI files to decrypt stored passwords. This affects organizations using vulnerable AudioCodes SBC devices for VoIP/SIP traffic management. Attackers need access to configuration backups or exports to exploit this vulnerability.

💻 Affected Systems

Products:

AudioCodes Mediant Session Border Controller

Versions: All versions before 7.40A.501.841

Operating Systems: AudioCodes proprietary SBC OS

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations that export INI files containing obfuscated passwords are vulnerable. The vulnerability exists in the password obfuscation mechanism itself.

📦 What is this software?

Mediant Session Border Controller by Audiocodes

View all CVEs affecting Mediant Session Border Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to SBC devices, intercept or redirect all VoIP traffic, compromise internal telephony systems, and potentially pivot to other network resources.

🟠

Likely Case

Attackers with access to configuration backups decrypt administrative or service account passwords, gaining unauthorized access to SBC management interfaces.

🟢

If Mitigated

With proper access controls on configuration files and network segmentation, impact is limited to credential exposure without direct device access.

🌐 Internet-Facing: MEDIUM - SBCs are often internet-facing for VoIP traffic, but exploitation requires access to configuration exports which are typically stored internally.

🏢 Internal Only: HIGH - Configuration exports are often stored on internal systems, backup servers, or shared drives where internal attackers or malware could access them.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to exported INI configuration files. The decryption process is reportedly straightforward once the weak obfuscation method is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.40A.501.841 and later

Vendor Advisory: https://www.audiocodes.com/solutions-products/products/session-border-controllers-sbcs

Restart Required: No

Instructions:

1. Download firmware version 7.40A.501.841 or later from AudioCodes support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or CLI. 4. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Secure Configuration File Storage

all

Restrict access to exported INI configuration files using file system permissions and secure storage locations.

Disable Unnecessary Configuration Exports

all

Avoid exporting configuration files unless absolutely necessary, and delete old exports immediately after use.

🧯 If You Can't Patch

Implement strict access controls on all systems storing SBC configuration backups
Monitor for unauthorized access attempts to configuration files and SBC management interfaces

🔍 How to Verify

Check if Vulnerable:

Check SBC firmware version via web interface (System > Status > Version) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is 7.40A.501.841 or later and test password obfuscation in new configuration exports

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to configuration backup locations
Multiple failed login attempts to SBC management interface
Unusual configuration export activities

Network Indicators:

Unexpected connections to SBC management ports from unusual sources
Configuration file transfers to unauthorized destinations

SIEM Query:

source="*SBC*" AND (event="Configuration Export" OR event="Backup Created") AND dest_ip NOT IN [approved_backup_servers]

📊 Metadata

CVE ID: CVE-2024-52884

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: February 7, 2025

Last Updated: May 1, 2025

🔗 References

https://www.audiocodes.com/solutions-products/products/session-border-controllers-sbcs Product
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-078.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52884, you might also want to check these: