CVE-2022-24629

CRITICAL

AudioCodes Device Manager Express <7.8.20002.47752 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-24629.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in AudioCodes Device Manager Express, including SQL injection for authentication bypass, path traversal for file upload/download, and remote command execution. It provides a functional menu-driven interface to exploit these flaws.

Description

An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/.

Exploits (1)

exploitdb WORKING POC
pythonwebappsphp
https://www.exploit-db.com/exploits/51145

This exploit demonstrates multiple vulnerabilities in AudioCodes Device Manager Express, including SQL injection for authentication bypass, path traversal for file upload/download, and remote command execution. It provides a functional menu-driven interface to exploit these flaws.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AudioCodes Device Manager Express <= 7.8.20002.47752
No auth needed
Prerequisites: Network access to the target · Default credentials or SQL injection vulnerability for authentication bypass
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Feb/12

Scores

CVSS v3 9.8
EPSS 0.3725
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
audiocodes/device_manager_express < 7.8.20002.47752
Published May 29, 2023
Tracked Since Feb 18, 2026