Akuvox Smart Intercom and Doorphone Improper Access Control Vulnerability

A vulnerability exists in the Akuvox Smart Intercom and Doorphone models S539, S532, X916, X915, X912, R29, as well as Intercom models E16C, R20K-2, R20A-2, C313W-2, NS-2, NC-2, and NX-2, all running firmware 912.30.1.137. This vulnerability allows users with 'User' privileges to improperly modify API access settings and configurations through the ServicesHTTPAPI endpoint. Such actions could lead to unauthorized privilege escalation, granting access to administrative functionalities that should be restricted.

Impact

Exploitation of this vulnerability could bypass security measures and allow for unauthorized elevation of privileges, enabling access to restricted administrative features.

Reproduction

The vulnerability can be reproduced by logging into the affected device with 'User' privileges and accessing the ServicesHTTPAPI endpoint. Once there, it is possible to modify API access settings and configurations, thereby escalating privileges and gaining unauthorized administrative access.

Remediation

Akuvox has released a patch for this vulnerability in version 915.30.10.158. Users should update to this version to address the issue.