Arbitrary Code Execution via Manipulated Ringtone Upload in Akuvox R50P VoIP Phone 50.0.6.156

Arbitrary Code Execution via Manipulated Ringtone Upload in Akuvox R50P VoIP Phone 50.0.6.156

CVE-2019-12326 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.

Learn more about our Web Application Penetration Testing UK.