CVE-2018-16216

Name of the Vulnerable Software and Affected Versions AudioCodes 405HD version 2.2.12

Description A command injection issue due to missing input validation and escaping in the monitoring or memory status web interface allows an authenticated remote attacker in the same network as the device to execute OS commands via a POST request to the web server. This can be used to start services like telnetd or open a reverse shell. When combined with another attack that enables unauthenticated password change, the authentication requirement can be circumvented.

Recommendations For AudioCodes 405HD version 2.2.12, consider disabling access to the monitoring or memory status web interface until a patch is available to prevent command injection attacks. Restrict access to the device's web server to minimize the risk of exploitation. Avoid using the web interface for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.