Akuvox Smart Intercom HTTP API Improper Access Control Leading to Privilege Escalation

Vulnerability Key Information Vulnerability Title: Akuvox Smart Intercom/Doorphone Services HTTP API Improper Access Control Vulnerability ID: ZSL-2024-5862 Type: Local/Remote Impact: Security Bypass, Elevation of Privileges Risk Level: 4/5 Release Date: 26.11.2024 Summary Akuvox X912 is a vandal-resistant doorphone designed for high-end residential and commercial projects. Its HTTP API endpoint contains insecure service API access control, allowing users with "user" privileges to modify API access settings and configurations. This could lead to privilege escalation, enabling unauthorized users to access management functions. Affected Versions Doorphone: S539, S532, X916, X915, X912, R29, and other models Intercom: E16C, R20K-2, R20A-2, and other models Firmware: 912.30.1.137 Test Environment Lighttpd/1.4.30 EasyHttpServer Vendor Status 25.02.2024: Vulnerability discovered 19.03.2024: Contacted vendor 20.03.2024: Vendor responded and requested more details; PGP key sent 29.03.2024: Vendor started remediation 02.04.2024: Collaborative testing with vendor 29.10.2024: Vendor released version 915.30.10.158 to fix the issue 26.11.2024: Public security advisory published Proof of Concept File: akuvox_eop.txt Acknowledgments Vulnerability discovered by Gjoko Krstic, email: gjoko@zeroscience.mk References 1. PacketStormSecurity 2. cxsecurity Change Log 26.11.2024: Initial release 27.11.2024: Added reference [1] 23.12.2024: Added reference [2]

Goal Reached Thanks to every supporter — we hit 100%!

Akuvox Smart Intercom HTTP API Improper Access Control Leading to Privilege Escalation