CVE-2025-1041 PUBLISHED

Avaya Call Management System RCE vulnerability

Assigner: avaya
Reserved: 04.02.2025 Published: 10.06.2025 Updated: 10.06.2025

An improper input validation discovered in

Avaya Call Management System could allow an unauthorized

remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Product Status

Vendor Avaya
Product Avaya Call Management System
Versions Default: unaffected
  • affected from 18.0 to 19.2.0.7 (excl.)
  • affected from 20.0 to 20.0.1.0 (excl.)

Credits

  • Roberto Olivero finder
  • Juan Ignacio Elola finder

References

Problem Types

  • CWE-20 Improper Input Validation CWE

Impacts

  • CAPEC-253 Remote Code Inclusion