CVE-2026-15374 in Call Recording Software
Summary
by MITRE • 07/10/2026
A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability resides within Eleveo Call Recording Software version 9.7.0, specifically targeting the Group Interface component through the /callrec/roleAddAction.do file. The flaw represents a critical authorization bypass issue that allows attackers to manipulate the system's access control mechanisms without proper authentication. The vulnerability affects an unknown function within this particular file, suggesting a potential weakness in the software's role-based access control implementation where unauthorized users can potentially escalate privileges or gain access to restricted functionalities.
The technical nature of this flaw constitutes a privilege escalation vulnerability that operates through manipulation of the role assignment functionality within the group interface. Attackers can exploit this weakness by crafting specific requests that bypass normal authorization checks, effectively allowing them to perform administrative actions or access sensitive data that should be restricted to authorized personnel only. This remote exploitation capability significantly amplifies the threat surface, as attackers do not require physical access to the system or network proximity to execute the attack.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling full administrative control over the call recording system. Attackers could manipulate user roles, add new administrators, or modify existing permissions to create backdoors for persistent access. This type of vulnerability directly violates the principle of least privilege and can lead to complete system compromise, especially when combined with other potential weaknesses in the application's architecture. The fact that a working exploit has been published increases the risk profile significantly.
Security practitioners should immediately implement network-based mitigations including firewall rules that restrict access to the vulnerable endpoint /callrec/roleAddAction.do, particularly from untrusted networks. Access control lists should be configured to limit who can reach this interface, and all unnecessary administrative interfaces should be disabled or moved behind additional security layers. The lack of vendor response to early disclosure attempts suggests a potential delay in patch development or inadequate security monitoring within the vendor's organization, making proactive mitigation essential.
This vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and represents a clear violation of the principle that access controls must be enforced consistently throughout application components. From an attack perspective, this flaw maps to ATT&CK technique T1078 which covers valid accounts and privilege escalation through unauthorized access to administrative functions. Organizations should conduct comprehensive audits of their Eleveo installations to identify potential exploitation attempts and implement monitoring for unusual role assignment activities that could indicate exploitation attempts.
The remote exploit capability of this vulnerability makes it particularly dangerous in environments where the software is exposed to external networks or where network segmentation is inadequate. System administrators should also consider implementing web application firewalls specifically configured to detect and block malicious requests targeting known vulnerable endpoints, as well as establishing incident response procedures for potential exploitation attempts. Regular security assessments of third-party applications should include verification that known vulnerabilities have been patched or adequately mitigated through alternative controls.
Organizations utilizing Eleveo Call Recording Software should prioritize immediate remediation efforts including applying vendor patches if available, implementing network segmentation to isolate vulnerable components, and monitoring for suspicious access patterns related to role management functions. The absence of vendor response to initial disclosure raises concerns about the long-term security support for this software version, potentially warranting consideration of alternative solutions or enhanced compensating controls to maintain adequate security posture while awaiting official patches.