CVE-2026-15376 in Call Recording Softwareinfo

Summary

by MITRE • 07/10/2026

A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability resides within Eleveo Call Recording Software version 9.7.0, specifically targeting an unknown function within the /callrec/statisticReportAction.do file. The flaw represents a critical authorization bypass issue that allows attackers to gain unauthorized access to sensitive reporting functionalities without proper authentication credentials. This type of vulnerability falls under the category of improper authorization as classified by CWE-285, where the application fails to properly verify user permissions before granting access to restricted resources.

The technical implementation appears to lack proper access control checks within the statisticReportAction.do endpoint, enabling remote exploitation through network-based attacks. Attackers can leverage this weakness to access call recording statistics and related data without legitimate authorization, potentially exposing sensitive communication records and business intelligence. The vulnerability's remote exploitability means that threat actors do not require physical access or local system compromise to execute their attack vectors. This characteristic significantly increases the attack surface and makes the vulnerability particularly dangerous for organizations relying on the software for secure communications monitoring.

The operational impact of this authorization bypass could be severe, as it may allow unauthorized personnel to access confidential call data, potentially including personal information, business-sensitive conversations, or regulatory compliance records. Organizations using Eleveo Call Recording Software may face significant security breaches, regulatory violations, and potential legal consequences depending on the nature of the intercepted communications. The fact that public exploitation methods exist further compounds the risk, as malicious actors can readily implement attacks without requiring advanced technical skills or custom development.

The lack of vendor response to early disclosure attempts represents a critical gap in the security remediation process, leaving affected organizations without official patches or mitigation guidance during an active threat period. Organizations should immediately implement network-based mitigations including firewall rules to restrict access to the vulnerable endpoint, disable unnecessary services, and consider temporary workarounds until official patches are available. This vulnerability aligns with ATT&CK technique T1078 for valid accounts and privilege escalation through unauthorized access to system resources, potentially enabling further attack progression within compromised environments.

Security teams should prioritize monitoring network traffic for exploitation attempts targeting the specific endpoint and implement comprehensive logging of all access attempts to the statisticReportAction.do functionality. The vulnerability demonstrates the importance of proper input validation and access control implementation in web applications, as outlined in OWASP Top Ten category A07: Identification and Authentication Failures. Organizations should also conduct thorough inventory checks to identify all instances of this software deployment and ensure comprehensive network segmentation to limit potential lateral movement if exploitation occurs. The public availability of exploit code means that this vulnerability is likely to be actively targeted by threat actors seeking unauthorized access to communication recording systems, emphasizing the urgent need for immediate remediation actions.

Responsible

VulDB

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!