Alcatel OmniVista remote command execution

Added: 12/31/2019

Background

Alcatel OmniVista is a graphical interface to Alcatel OmniPCX, a common VoIP solution.

Problem

Directory traversal and insecure upload vulnerabilities allow a remote attacker to upload and execute arbitrary PHP code.

Resolution

Upgrade to OmniVista 8770 version 4.1.12 or 4.2 or higher.

References

https://www.al-enterprise.com/en/-/media/assets/internet/documents/sa-c0065-ov8770-rce-vulnerability-en.pdf
https://git.lsd.cat/g/omnivista-rce

Limitations

Exploit works on OmniVista 4760.

Platforms

Alcatel

Back to exploit index