CVE-2024-52881

CVE-2024-52881 is a cryptographic failure vulnerability (CWE-321) in AudioCodes One Voice Operations Center (OVOC) versions before 8.4.582. The issue stems from the use of a hard-coded key, which enables decryption of sensitive data, such as passwords, extracted from the topology file. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no requirements for privileges or user interaction.

An unauthenticated attacker with network access can exploit this vulnerability if they obtain the topology file. By leveraging the hard-coded key, the attacker can decrypt embedded sensitive information, including passwords, potentially leading to unauthorized access to managed voice systems or further compromise within the environment.

For mitigation details, refer to the SYSS advisory at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-079.txt and the AudioCodes OVOC product page at https://www.audiocodes.com/solutions-products/products/management-products-solutions/one-voice-operations-center. Updating to OVOC version 8.4.582 or later addresses the hard-coded key issue.