CVE-2021-37440

Vulnerability

CVE-2021-37440 affects NCH Axon PBX versions 2.22 and earlier. The application fails to sanitize the file parameter in the logprop endpoint, allowing an authenticated user to traverse directories using ../ sequences. The attack vector is the URL path HOST/logprop?file=/../../../... [1][2].

Exploitation

An attacker must have valid authentication credentials for the Axon PBX web control panel. No special privileges beyond being a logged-in admin are needed. The attacker sends a crafted HTTP GET request to the logprop endpoint with a file parameter containing path traversal sequences such as /../../../../Windows/win.ini to read arbitrary files from the server's filesystem. The referenced proof-of-concept also demonstrates a separate logdelete endpoint for file deletion [2].

Impact

Successful exploitation allows an authenticated attacker to read any file on the Windows server accessible by the Axon PBX application process. This can include configuration files, credential stores of other NCH software located in \ProgramData\NCH Software\, and sensitive system files. The confidentiality of the system is compromised; the attacker cannot directly execute code but can gather credentials that may lead to further compromise [1][2].

Mitigation

The vendor has classified Axon PBX as a legacy program no longer supported, and no security patches have been released. Users are advised to restrict access to the Axon web interface to trusted networks, use strong admin credentials, and consider migrating to an alternative supported PBX solution. This vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].