CVE-2019-12324

Name of the Vulnerable Software and Affected Versions Akuvox R50P VoIP phone version 50.0.6.156

Description A command injection issue due to missing input validation in the IP address field for the logging server in the configuration web interface allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request to the / API endpoint, specifically targeting the logging server ip variable.

Recommendations For Akuvox R50P VoIP phone version 50.0.6.156, as a temporary workaround, consider disabling the logging server configuration feature until a patch is available. Restrict access to the configuration web interface to minimize the risk of exploitation. Avoid using shell metacharacters in the IP address field for the logging server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.