Avaya Aura Device Services Remote Code Execution
CVE-2023-3722

8.6HIGH

Key Information:

Vendor: Avaya
Status: Aura Device Services
Vendor: CVE Published:; 19 July 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An OS command injection vulnerability has been identified in the Avaya Aura Device Services Web application. This flaw could potentially allow an attacker to execute arbitrary commands on the server by exploiting a maliciously crafted file upload. Affected users of Avaya Aura Device Services version 8.1.4.0 and earlier are urged to take immediate action to secure their systems against possible exploitation.

Affected Version(s)

Aura Device Services 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-3722
Created by pizza-power

References

https://download.avaya.com/css/public/documents/101076366

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 20, 2024
👾
Exploit known to exist
Nov 20, 2024
Vulnerability published
Jul 19, 2023
Vulnerability Reserved
Jul 17, 2023

Credit

Wilfried Becard - SYNACKTIV

Nicolas Biscos- SYNACKTIV