Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

CVE-2018-5757: RCE In AudioCodes 450HD Phone


Description: Improper input sanitization allows an authenticated user remote code execution on AudioCodes 450HD phones through the "Ping" and "Traceroute" diagnostics functionality.
Versions Affected: AudioCodes 450HD Phone firmware version has been tested. Other versions (previous and later) are likely affected as well.
Researcher: Spencer Gietzen of Rhino Security Labs (
Disclosure Link: N/A (this is it)

Proof-of-Concept Exploit


The "Ping" and "Traceroute" functions in the AudioCodes 450HD web UI place user-supplied content into operating system commands without proper sanitization. This allows for the injection of operating system commands as the user running the web server. This web UI also uses a default set of administrator credentials (User is "admin", pass is "1234"), so it is trivial to gain access to the vulnerable functionality.


  • First login to the web UI of the device. There is a default administrator user using "admin" as the password and "1234" as the password.
  • When making a request to the "Traceroute" function of the web UI, something similar to the following request is made:
    Normal traceroute request
  • By modifying the query string of the URL, it is possible to inject arbitrary commands to run on the operating system. The payload that was confirmed working looked like this:
traceroute|<YOUR COMMAND>|a #'
  • Here is an example screenshot that runs "ls /" on the operating system.
    Listing the contents of the "/" folder on the phone
  • The following screenshot shows the output of the previous command, which shows that localhost was tracerouted and then a listing of the "/" folder follows.
    The output of the code we executed on the system
You can’t perform that action at this time.