Avaya Aura Device Services Remote Code Execution

CVE-2023-3722

8.6HIGH

Key Information

Vendor: Avaya
Status: Aura Device Services
Vendor: CVE Published:; 19 July 2023

Badges

👾 Exploit Exists🔴 Public PoC

Summary

An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.

Affected Version(s)

Aura Device Services <= 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-3722
Created by pizza-power

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Nov 20, 2024
Risk change from: 9.8 to: 8.6 - (HIGH)
Oct 22, 2024
Vulnerability published.
Jul 19, 2023
Vulnerability Reserved.
Jul 17, 2023

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

Wilfried Becard - SYNACKTIV

Nicolas Biscos- SYNACKTIV