← Advisories

Akuvox Smart Intercom/Doorphone ServicesHTTPAPI Improper Access Control

High
Advisory ID
ZSL-2024-5862
Release Date
26 November 2024
Vendor
The Akuvox Company - https://www.akuvox.com
Affected Version
Doorphone:, S539, S532, X916, X915, X912, R29, Intercom:, E16C, R20K-2, R20A-2, C313W-2, NS-2, NC-2, NX-2, Firmware: 912.30.1.137
CVE
CVE-2024-58337
Tested On
lighttpd/1.4.30, EasyHttpServer
Summary

Vandal-resistant Door Phone for High-end Buildings. Offering top-of-the-line features, Akuvox X912 is targeted at high-end residential and commercial projects. With a compact size, it is perfect for buildings with limited installation space.

Description

The Akuvox Smart Intercom/Doorphone suffers from an insecure service API access control. The vulnerability in ServicesHTTPAPI endpoint allows users with "User" privileges to modify API access settings and configurations. This improper access control permits privilege escalation, enabling unauthorized access to administrative functionalities. Exploitation of this issue could compromise system integrity and lead to unauthorized system modifications.

Proof of Concept
akuvox_eop.txtTXT
Disclosure Timeline
25.02.2024Vulnerability discovered.
19.03.2024Vendor contacted.
20.03.2024Vendor responds asking for more details. Sends PGP key.
22.03.2024Replied to the vendor.
29.03.2024Vendor starts working on a fix.
02.04.2024Working with the vendor.
29.10.2024Vendor releases version 915.30.10.158 to address this issue.
26.11.2024Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/182870/
[2]https://cxsecurity.com/issue/WLB-2024110042
[3]https://www.cve.org/CVERecord?id=CVE-2024-58337
Changelog
26.11.2024Initial release
27.11.2024Added reference [1]
23.12.2024Added reference [2]
23.03.2026Added reference [3]