CVE-2026-15375 in Call Recording Softwareinfo

Summary

by MITRE • 07/10/2026

A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/users_ldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability in Eleveo Call Recording Software version 9.7.0 represents a critical authorization flaw that compromises the system's security controls through improper access management. The issue manifests within the LDAP User Interface component, specifically in the /callrec/users_ldap.jsp file which handles user authentication and directory services integration. The vulnerability allows attackers to bypass legitimate authorization checks and gain unauthorized access to user accounts and system resources. This represents a fundamental breakdown in the software's security architecture where the authentication mechanism fails to properly validate user credentials or roles before granting access to sensitive functionality.

The technical implementation of this flaw likely involves insufficient input validation or improper session management within the LDAP integration interface. Attackers can exploit this vulnerability remotely without requiring physical access or prior authentication, making it particularly dangerous as it can be leveraged from any network location. The vulnerability's disclosure status indicates that threat actors have already developed working exploits that could be used in active attacks against vulnerable systems. This public availability of exploitation tools significantly increases the risk profile and makes immediate remediation essential for organizations using this software.

From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents a clear violation of the principle of least privilege that should govern all authentication systems. The attack vector classification places this under remote exploitation capabilities, which typically maps to high severity in threat modeling frameworks. Organizations running Eleveo Call Recording Software 9.7.0 are potentially exposed to credential theft, unauthorized data access, and possible lateral movement within their network infrastructure. The lack of vendor response after initial disclosure creates additional operational risk as organizations cannot rely on official patches or updates to address the vulnerability.

The operational impact extends beyond immediate unauthorized access to include potential data exfiltration and system compromise. Attackers could leverage this vulnerability to establish persistent access, escalate privileges, or use the compromised system as a foothold for broader network infiltration. This aligns with ATT&CK technique T1078 (Valid Accounts) and potentially T1566 (Phishing for Information) if attackers use stolen credentials for further attacks. Organizations should immediately implement network segmentation, monitor for suspicious authentication attempts, and consider disabling unnecessary LDAP integration until a proper fix is available.

Mitigation strategies should include immediate implementation of network-based controls such as firewall rules to restrict access to the vulnerable endpoint, deployment of intrusion detection systems to monitor for exploitation attempts, and consideration of temporary workarounds like disabling LDAP functionality. Organizations must also conduct comprehensive vulnerability assessments across their entire network to identify any other systems that might be running the same vulnerable software version. The absence of vendor response creates additional risk management considerations requiring organizations to develop their own temporary security measures while seeking alternative solutions or vendor support through multiple channels.

Responsible

VulDB

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!