CVE-2023-22955

HIGH EPSS 21.6%

Published Aug 11, 20232y ago · Modified Jun 17, 20261w ago

7.8 CVSS 3.1

High

Published Aug 11, 2023 2y ago

Last Modified Jun 17, 2026 1w ago

Description

An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware.

CVSS Details

Base Score

7.8

Exploitability

1.8

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

21.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-345

Affected Products 6

Vendor	Product	Version	Range
audiocodes	445hd_firmware	*	≤3.4.4.1000
audiocodes	445hd	*	any
audiocodes	405hd_firmware	*	≤3.4.4.1000
audiocodes	405hd	*	any
audiocodes	c450hd_firmware	*	≤3.4.4.1000
audiocodes	c450hd	*	any

References 4

packetstormsecurity.com http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html

Third Party AdvisoryVDB Entry
seclists.org http://seclists.org/fulldisclosure/2023/Aug/17

Mailing ListThird Party Advisory
syss.de https://syss.de

Not Applicable
syss.de https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.