A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown part of the file /callrec/pci_dss_status.jsp. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security readout for executives and security teams
Plain-English summary
CVE-2026-15471 is an improper authorization issue in Eleveo Call Recording Software 9.7.0. A remote, low-privileged user may be able to access or manipulate the PCI DSS status JSP page beyond intended permissions. The public record says exploit material is available, but there is no cited evidence of active exploitation.
Executive priority
Treat as a near-term remediation item for environments using Eleveo 9.7.0. Business urgency is higher if call recording systems support regulated PCI workflows or are broadly accessible. No confirmed active exploitation is cited, but public exploit availability increases operational risk.
Technical view
The issue affects /callrec/pci_dss_status.jsp in Eleveo Call Recording Software 9.7.0. It is mapped to CWE-266 and CWE-285. CVSS 4.0 score is 5.3, with network access, low attack complexity, low privileges required, no user interaction, and limited confidentiality impact. Vendor response and patch status are not documented in the provided sources.
Likely exposure
Organizations running Eleveo Call Recording Software 9.7.0 are potentially exposed, especially if the /callrec/ application is reachable by broad internal user groups, remote workers, or internet-facing access paths. Exposure appears to require some level of authenticated access.
Exploitation context
The vulnerability is remotely exploitable and public exploit material is referenced by VulDB. However, CISA KEV status is false in the provided bundle, and no cited source confirms active exploitation in the wild.
Researcher notes
Evidence is limited to the CVE/VulDB record. The affected component is identified, but the exact authorization bypass mechanics and vendor fix status are not provided. Avoid assuming other Eleveo versions are affected unless vendor or CVE records expand scope.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-266: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
4CVSS vectors
6Timeline events
0ADP providers
6Source links
CVSS vector scores
4 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-266 · source CWE mapping
Incorrect Privilege Assignment
Incorrect Privilege Assignment represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.