CVE-2025-32106
Published: 03 June 2025
Summary
CVE-2025-32106 is a critical-severity Code Injection (CWE-94) vulnerability in Audiocodes Mp-112 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-32106 affects Audiocodes Mediapack MP-11x devices running firmware through version 6.60A.369.002. The flaw is an instance of CWE-94 in which a crafted POST request can be used to inject and execute arbitrary code on the device. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated attack complexity that results in full compromise of confidentiality, integrity, and availability.
An unauthenticated remote attacker can submit a specially formed POST request to the affected web interface and obtain the ability to run unauthorized code. Successful exploitation grants the attacker the same privileges as the process handling the request, enabling arbitrary command execution without prior authentication or user interaction.
The listed references point to the vendor site and two technical reports hosted on GitHub; no explicit patch or mitigation guidance is supplied in the available data. The associated EPSS score remains flat at 0.0234 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16750
Vulnerability details
In Audiocodes Mediapack MP-11x through 6.60A.369.002, a crafted POST request request may result in an unauthenticated remote user's ability to execute unauthorized code.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote code execution via a crafted POST request to the Audiocodes Mediapack MP-11x web interface, a public-facing application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.