# [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones
The AudioCodes 400HD series of IP phones consists in a range of
easy-to-use, feature-rich desktop devices for the service provider
hosted services, enterprise IP telephony and contact center markets.
The CGI scripts used on the 420HD phone (web interface) do not filter
user inputs correctly. Consequently, an authenticated attacker could
inject arbitrary commands (Remote Code Execution) and take full control
over the device. For example, it is possible to intercept live
## Vulnerability records
**CVE ID**: CVE-2018-10093
**Access Vector**: remote
**Security Risk**: medium
**CVSS Base Score**: 7.2
**CVSS Vector String**:
The script `command.cgi`, used for system monitoring and diagnostics, is
vulnerable to a remote command execution attack.
Visiting the `/command.cgi?cat%20/etc/passwd` gives the following result:
Note that the vulnerable page is only available to authenticated users
(in possession of the admin configuration password).
## Timeline (dd/mm/yyyy)
* 06/03/2018 : Initial discovery
* 17/04/2018 : Vendor contact
* 17/05/2018 : Vendor technical team aknowledgment
* 07/01/2019 : Vendor recommendation to mitigate the issue
* 10/01/2019 : Public disclosure
AudioCodes recommends to change the default admin credentials to
mitigate the issue.
## Affected versions
Theses vulnerabilities have only been tested on the 420HD phone
(firmware version: 126.96.36.199).
a.baube at sysdream dot com