CVE-2023-30024

MEDIUM

magicJack A921 Firmware - Unauthenticated Arbitrary Code Execution via Hidden NAND Flash Partition

Title source: llm

Description

The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the host computer. Affected devices have firmware versions prior to magicJack A921 USB Phone Jack Rev 3.0 V1.4.

References (4)

Core 4

Core References

Exploit

https://drive.google.com/drive/folders/1cKd8hksThK610GPtBQ3du8DEkwKywlAi?usp=sharing

Third Party Advisory

https://pastebin.com/raw/irWcawp8

Exploit, Technical Description, Third Party Advisory

https://samuraisecurity.co.uk/red-teaming-0x01-click-rce-via-voip-usb/

Product

https://www.magicjack.com/

Scores

CVSS v3 6.6

EPSS 0.0047

EPSS Percentile 37.2%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-863

Status published

Products (1)

magicjack/a921_firmware 1.4

Published Apr 28, 2023

Tracked Since Feb 18, 2026