Avaya Aura Device Services Remote Code Execution
CVE-2023-3722
8.6HIGH
Key Information
- Vendor
- Avaya
- Status
- Aura Device Services
- Vendor
- CVE Published:
- 19 July 2023
Badges
πΎ Exploit Existsπ‘ Public PoC
Summary
An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.
Affected Version(s)
Aura Device Services <= 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database1 Proof of Concept(s)
Credit
Wilfried Becard - SYNACKTIV
Nicolas Biscos- SYNACKTIV