CVE-2026-15377 in Call Recording Softwareinfo

Summary

by MITRE • 07/10/2026

A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in Eleveo Call Recording Software version 9.7.0 represents a critical authorization flaw that compromises the integrity of the system's file handling mechanisms. This weakness exists within the specific endpoint /callrec/sendlogfile which appears to lack proper access controls or authentication validation. The affected functionality operates outside normal security boundaries, creating a potential pathway for unauthorized users to manipulate system resources without proper credentials or privileges.

The technical exploitation of this vulnerability demonstrates a clear failure in the software's authorization framework where remote attackers can leverage the improperly protected file endpoint to gain access to call recording data and associated system resources. This represents a fundamental breakdown in the principle of least privilege, allowing malicious actors to bypass normal security controls through publicly disclosed attack vectors. The vulnerability's classification aligns with CWE-285 which addresses improper authorization issues in software systems.

From an operational perspective, this flaw poses significant risks to organizations relying on Eleveo Call Recording Software for compliance and security monitoring purposes. The remote exploitation capability means that attackers can target the system from external networks without requiring physical access or insider knowledge of internal network structures. This vulnerability directly impacts data confidentiality and integrity, potentially exposing sensitive call recordings that may contain personal information, business communications, or other regulated data.

The lack of vendor response to early disclosure attempts creates additional operational concerns for affected organizations, as it suggests either inadequate security monitoring or delayed remediation processes within the software vendor's security operations. This delay in vendor engagement may leave organizations without timely patching options or official guidance on mitigating the risk. The public disclosure of exploit methods further compounds the threat landscape, as cybercriminals can now leverage this knowledge to target vulnerable installations without additional reconnaissance efforts.

Organizations should implement immediate network-level protections including firewall rules that restrict access to the vulnerable endpoint, deployment of intrusion detection systems to monitor for exploitation attempts, and comprehensive network segmentation to limit lateral movement if successful breaches occur. Additionally, organizations should consider disabling or restricting access to the affected functionality until official patches are available from the vendor. The exploitation of this vulnerability aligns with ATT&CK technique T1078 which covers legitimate credentials usage and privilege escalation tactics that attackers may employ when targeting authorization flaws in software applications.

Responsible

VulDB

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!