CVE-2026-15373 in Call Recording Software
Summary
by MITRE • 07/10/2026
A vulnerability was detected in Eleveo Call Recording Software 9.7.0. The impacted element is an unknown function of the file /callrec/userAddAction.do. Performing a manipulation of the argument role results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability identified in Eleveo Call Recording Software version 9.7.0 represents a critical authorization bypass flaw that compromises the software's access control mechanisms. This issue manifests within the userAddAction.do servlet component where an insufficient validation of the role parameter creates an exploitable condition that allows unauthorized users to escalate their privileges. The vulnerability stems from inadequate input sanitization and authorization checks, enabling malicious actors to manipulate the role argument and gain elevated access rights within the system.
The technical exploitation of this vulnerability involves remote manipulation of the role parameter through the /callrec/userAddAction.do endpoint, which operates as a user management function within the call recording software. This flaw constitutes a direct violation of the principle of least privilege and demonstrates poor implementation of access control validation mechanisms. The vulnerability's classification aligns with CWE-285, which addresses improper authorization in software systems, and represents a clear deviation from secure coding practices that should enforce strict validation of user roles and privileges before granting system access.
From an operational perspective, this vulnerability poses significant risks to organizations utilizing Eleveo Call Recording Software, as it enables remote attackers to bypass authentication mechanisms and assume administrative or elevated user roles. The public availability of exploitation tools increases the attack surface considerably, allowing threat actors with minimal technical expertise to exploit the flaw and potentially gain complete control over the call recording system. This compromise could lead to unauthorized access to sensitive communications data, system manipulation, and potential data exfiltration from critical business communication infrastructure.
The lack of vendor response to early disclosure attempts compounds the severity of this vulnerability, leaving organizations without official patches or mitigations for an extended period. Security professionals should implement immediate defensive measures including network segmentation, firewall rule restrictions targeting the vulnerable endpoint, and monitoring for suspicious activities related to user addition operations. Organizations must also consider disabling unnecessary remote access to the affected software components until proper patches are available. This vulnerability exemplifies the importance of vendor accountability in security disclosure processes and highlights the risks associated with software suppliers failing to respond appropriately to identified security flaws.
The exploitation of this authorization bypass vulnerability aligns with tactics described in the attack pattern taxonomy, particularly those involving privilege escalation through parameter manipulation. Security teams should monitor for patterns consistent with remote code execution attempts and unauthorized user privilege elevation activities that may indicate exploitation of similar access control vulnerabilities. The absence of vendor response creates a particularly dangerous scenario where organizations must rely on community-driven security research and third-party mitigation strategies to protect their systems from active exploitation attempts.