>samit_hota
Back to advisories
SH-2026-072HighOpen

Eleveo Call Recording Software Vulnerabilities Allow Improper Authorization

Samit Hota·
CVE ID
CVE-2026-15474, CVE-2026-15472
CVSS Score
N/A
Affected Products
Eleveo Call Recording Software 9.7.0
#news#eleveo

Overview

Two distinct improper authorization vulnerabilities, identified as CVE-2026-15474 and CVE-2026-15472, have been discovered in Eleveo Call Recording Software version 9.7.0. These flaws allow remote attackers to perform unauthorized actions by manipulating specific arguments or affecting unknown code functions. Both vulnerabilities have been publicly disclosed, with exploits reportedly available in the wild, increasing the risk of active exploitation. Disturbingly, the vendor, Eleveo, was contacted early about these disclosures but has not responded.

Technical Details

CVE-2026-15474

This vulnerability affects an unknown function within the file /callrec/audio.jsp of the Call Recording Handler component in Eleveo Call Recording Software 9.7.0. The flaw specifically relates to the manipulation of the callId argument. By altering this argument, an attacker can trigger an improper authorization condition. This suggests that the system fails to adequately verify if the user making the request for a specific callId is actually authorized to access that call record. The attack can be performed remotely, meaning an attacker does not require physical access to the system or local network presence. The exploit has been released to the public.

CVE-2026-15472

This vulnerability impacts unknown code within the file /callrec/composeEmailAction.do in Eleveo Call Recording Software 9.7.0. Similar to CVE-2026-15474, exploiting this flaw results in improper authorization. The attack can also be executed remotely. The description indicates that merely executing a manipulation of this specific file or its associated actions can lead to unauthorized access or actions within the software. Like the previous CVE, the exploit has been publicly disclosed and may be utilized for attacks.

Both vulnerabilities highlight a fundamental weakness in the software’s access control mechanisms, allowing authenticated or potentially unauthenticated attackers to bypass intended permissions and access or manipulate resources they should not. The absence of a response from the vendor is a significant concern for the severity and status of these issues.

Real-World Impact

The real-world impact of improper authorization vulnerabilities in call recording software can be severe, especially given its role in handling sensitive communications.

  • Unauthorized Access to Confidential Call Records: Attackers could gain access to private call recordings, which often contain highly sensitive business, financial, or personal information. This can lead to industrial espionage, regulatory compliance failures (e.g., GDPR, HIPAA violations), and severe privacy breaches.
  • Data Manipulation and Tampering: If the improper authorization extends to write access, attackers could alter call records, potentially fabricating evidence or deleting critical information.
  • Reputational Damage: The exposure of confidential communications can severely damage an organization’s reputation and erode customer trust.
  • Legal and Financial Penalties: Breaches of privacy laws due to unauthorized access to call data can result in significant fines and legal action.
  • Operational Disruption: While not directly a denial-of-service, a compromise could force organizations to suspend or re-evaluate their call recording operations.

Given that the exploits are public, organizations using Eleveo Call Recording Software 9.7.0 are at immediate risk of targeted attacks.

Threat Landscape

Improper authorization is a common and dangerous vulnerability class that consistently ranks among the top security risks. In enterprise applications, especially those handling critical data like call recordings, authorization flaws are particularly attractive to attackers. The public disclosure of exploits for these Eleveo vulnerabilities means that even less sophisticated attackers can leverage them. The lack of vendor response further exacerbates the threat, leaving users without an official patch or guidance and forcing them to rely on workaround mitigations if possible. This situation creates a window of opportunity for threat actors to actively scan for and exploit vulnerable Eleveo installations. Organizations using call recording solutions must recognize that such systems are high-value targets for data exfiltration and intellectual property theft, making robust security, including strict access controls and timely patching, paramount.

Remediation

Given the public disclosure of exploits and the lack of a vendor response from Eleveo, immediate remediation and mitigation strategies are critical for organizations using Eleveo Call Recording Software 9.7.0.

  • Isolate and Restrict Access: If possible, isolate the Eleveo Call Recording Software system from direct internet access. Implement strict network segmentation to limit communication to only necessary internal services and authorized users.
  • Access Control Review: Immediately review and tighten all access controls for the Eleveo software. Ensure that only absolutely necessary personnel have access to the system and its functions, following the principle of least privilege.
  • Monitor for Exploitation Attempts: Implement enhanced logging and monitoring for the affected URLs (/callrec/audio.jsp and /callrec/composeEmailAction.do) and any unusual activity within the Eleveo application. Look for repeated attempts to manipulate callId or other parameters.
  • Web Application Firewall (WAF): Deploy a WAF in front of the Eleveo application to detect and potentially block requests that attempt to exploit these authorization flaws. Custom WAF rules may be necessary to specifically target the callId parameter manipulation or anomalous requests to composeEmailAction.do.
  • Consider Alternative Solutions: In the absence of an official patch or vendor support, organizations should evaluate the continued use of Eleveo Call Recording Software 9.7.0 and consider migrating to alternative, actively supported solutions that prioritize security.
  • Contact Vendor: Continue to reach out to Eleveo for an official statement, patch, or mitigation guidance.

This situation highlights the crucial need for organizations to conduct thorough due diligence on software vendors, particularly concerning their commitment to security vulnerability response and lifecycle support.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call