Avaya — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting Avaya. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Avaya operates primarily as a provider of enterprise communication solutions, including unified communications, contact center software, and networking hardware. The vendor’s portfolio has historically been associated with a significant volume of security flaws, currently totaling 47 recorded Common Vulnerabilities and Exposures (CVEs). These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation issues, often stemming from inadequate input validation or improper access controls within web interfaces and administrative panels. Notable incidents include critical flaws in IP Office and Session Manager products that allowed unauthenticated attackers to gain system-level access or execute arbitrary commands. The high count of CVEs reflects a pattern of legacy code vulnerabilities and delayed patch cycles for older on-premise deployments. Security researchers emphasize the necessity of rigorous network segmentation and immediate application of vendor-provided patches to mitigate the risk of exploitation in these communication infrastructure components.

CVEs 47

CVE ID	Title	CVSS	Severity	Published
CVE-2025-1041	Avaya Call Management System RCE vulnerability — Avaya Call Management SystemCWE-20	9.9	Critical	2025-06-10
CVE-2024-12756	Avaya Spaces HTML injection (HTMLi) Vulnerability — Avaya SpacesCWE-1287	7.3	High	2025-02-11
CVE-2024-12755	Avaya Spaces XSS Vulnerability — Avaya SpacesCWE-79	7.9	High	2025-02-11
CVE-2024-7480	Improper access control in Avaya Aura System Manager — Aura System ManagerCWE-266	4.2	Medium	2024-08-08
CVE-2024-7477	Avaya Aura System Manager SQL injection vulnerability — Aura System ManagerCWE-89	6.5	Medium	2024-08-08
CVE-2024-4197	Avaya IP Office One-X Portal File Upload Vulnerability — IP OfficeCWE-434	9.9	Critical	2024-06-25
CVE-2024-4196	Avaya IP Office Web Control RCE Vulnerability — IP OfficeCWE-782	10.0	Critical	2024-06-25
CVE-2023-7031	Avaya Experience Portal Manager Insecure Direct Object Reference Vulnerabilities — Experience Portal ManagerCWE-200	5.7	Medium	2024-01-17
CVE-2023-3722	Avaya Aura Device Services Remote Code Execution — Aura Device ServicesCWE-434	8.6	High	2023-07-19
CVE-2023-3527	Avaya Call Management System CSV injection vulnerability — Avaya Call Management SystemCWE-1236	6.8	Medium	2023-07-18
CVE-2023-31187	Avaya IX Workforce Engagement - CWE-522: Insufficiently Protected Credentials — IX Workforce EngagementCWE-522	6.5	Medium	2023-05-30
CVE-2023-32218	Avaya IX Workforce Engagement - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') — IX Workforce EngagementCWE-601	6.1	Medium	2023-05-30
CVE-2023-31186	Avaya IX Workforce Engagement - User Enumeration - CWE-204: Observable Response Discrepancy — IX Workforce EngagementCWE-204	5.3	Medium	2023-05-30
CVE-2022-2249	Avaya Aura Communication Manager Privilege Escalation Vulnerabilities — Avaya Aura Communication ManagerCWE-269	7.7	High	2022-10-12
CVE-2022-2975	Avaya Aura Application Enablement Services weak permissions in web application — Avaya Aura Application Enablement ServicesCWE-269	7.7	High	2022-10-06
CVE-2021-25657	Avaya IP Office Privilege Escalation Vulnerability — IP OfficeCWE-269	7.8	High	2022-09-02
CVE-2021-25654	Avaya Aura Device Services Arbitrary Code Execution Vulnerability — Avaya Aura Devices ServicesCWE-378	6.2	Medium	2021-06-25
CVE-2021-25656	Avaya Aura Experience Portal XSS vulnerabilities — ProductCWE-79	5.3	Medium	2021-06-24
CVE-2021-25655	URL redirection to untrusted site possible in Avaya Aura Experience Portal — Avaya Experience PortalCWE-601	4.4	Medium	2021-06-24
CVE-2021-25653	Avaya Aura Appliance Virtualization Platform Utilities Privilege Escalation Vulnerability — Avaya Aura Appliance Virtualization Platform UtilitiesCWE-250	8.0	High	2021-06-24
CVE-2021-25652	Avaya Aura Appliance Virtualization Platform Utilities Sensitive Information Disclosure Vulnerability — Avaya Aura Appliance Virtualization Platform UtilitiesCWE-200	4.9	Medium	2021-06-24
CVE-2021-25651	Avaya Aura Utility Services Privilege Escalation Vulnerability — Avaya Aura Utility ServicesCWE-250	8.0	High	2021-06-24
CVE-2021-25650	Avaya Aura Utility Services Privilege Escalation Vulnerability — Avaya Aura Utility ServicesCWE-250	7.7	High	2021-06-24
CVE-2021-25649	Avaya Utility Services Sensitive Information Disclosure Vulnerability — Avaya Aura Utility ServicesCWE-200	4.9	Medium	2021-06-24
CVE-2020-7038	Avaya Meetings Server Information Disclosure vulnerability — Avaya Meetings ManagementCWE-284	7.5	High	2021-04-28
CVE-2020-7037	Avaya Equinox Conferencing XXE vulnerability — Avaya Meetings ServerCWE-611	8.1	High	2021-04-28
CVE-2020-7036	XXE in Avaya Callback Assist Administration — Callback AssistCWE-611	8.1	High	2021-04-23
CVE-2020-7035	XXE in Avaya Aura Orchestration Designer — Aura Orchestration DesignerCWE-611	8.1	High	2021-04-23
CVE-2020-7034	Command injection in Avaya Session Border Controller for Enterprise — Session Border Controller for EnterpriseCWE-78	7.2	High	2021-04-23
CVE-2020-7032	Avaya WebLM Improper Restriction of XML External Entity Reference — WebLMCWE-611	6.5	Medium	2020-11-13

This page lists every published CVE security advisory associated with Avaya. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Avaya — Vulnerabilities & Security Advisories 47