CVE-2021-37441

Vulnerability

NCH Axon PBX versions 2.22 and earlier contain a path traversal vulnerability in the logdelete endpoint. An authenticated attacker can specify a file parameter with a ../ sequence (e.g., logdelete?file=/../../../../../../Windows/win.ini) to traverse outside the intended log directory and target arbitrary files on the Windows file system [1]. The vendor states this is a legacy product no longer supported [1].

Exploitation

Exploitation requires an authenticated session with the Axon PBX web management interface. The attacker sends a crafted HTTP GET request to the logdelete endpoint, providing a file parameter that includes ../ sequences to escape the log directory [2]. No additional user interaction is needed beyond the initial authentication. The application’s file deletion logic follows the supplied path without proper validation, enabling access to files such as Windows\win.ini or credential stores of other NCH Software applications located in \ProgramData\NCH Software\ [2].

Impact

Successful exploitation allows the attacker to delete any file on the system that the Axon PBX process has permission to remove. This can lead to denial of service (e.g., deleting critical system files or application binaries) and potentially facilitate further compromise by removing security controls or log files [2]. The impact is limited by the privileges of the running application process.

Mitigation

No patch is available as NCH Axon PBX is a legacy product no longer supported by the vendor [1]. Users are advised to restrict network access to the Axon PBX management interface to trusted administrators only, and monitor for unusual file deletion activity. Migrating to a supported PBX solution is the recommended long-term mitigation.