Kerbit researchers discovered that threat actors could chain three security flaws in the Pascom Cloud Phone System to obtain complete pre-authenticated remote code execution, reports The Hacker News.
Businesses have been using the Pascom Cloud Phone System for hosting and establishing private phone networks in various platforms. Attackers could combine the flaws, which include an arbitrary path reversal issue within the web interface, a CVE-2019-18394-related server-side request forgery vulnerability, and command injection leveraging the exd.pl daemon, to secure administrator passwords, enter non-exposed endpoints, and achieve remote code execution, according to researcher Daniel Eshetu.
Eshetu added that the exploit chain could also help facilitate command execution as root.
"This gives us full control of the machine and an easy way to escalate privileges," said Eshetu.
While patches for the vulnerabilities have been promptly released after being reported to Pascom on January 3, users of self-hosted CPS have been urged to immediately update to the latest version.