A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability affects unknown code of the file /callrec/composeEmailAction.do. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Security readout for executives and security teams
Plain-English summary
CVE-2026-15472 is an improper authorization issue in Eleveo Call Recording Software 9.7.0. A remotely authenticated user may be able to manipulate the email composition function in a way they should not be allowed to. Public disclosure includes an exploit reference, but the provided sources do not show confirmed active exploitation.
Executive priority
Treat this as a timely remediation and exposure-reduction item, not a confirmed breach indicator. Prioritize if Eleveo 9.7.0 is internet-facing, broadly accessible, or used for sensitive call recordings.
Technical view
The issue affects /callrec/composeEmailAction.do in Eleveo Call Recording Software 9.7.0. VulDB describes CWE-266 and CWE-285 improper authorization, remotely exploitable with low privileges and no user interaction. CVSS 4.0 is 5.3. The vendor reportedly did not respond to early disclosure, and no vendor fix is identified in the provided sources.
Likely exposure
Exposure is most relevant for organizations running Eleveo Call Recording Software 9.7.0, especially where the call recording web application is reachable by broad internal user populations or remotely accessible authenticated users.
Exploitation context
The sources state that an exploit has been publicly disclosed and may be utilized. They do not provide evidence of CISA KEV listing or confirmed active exploitation. The vulnerability requires low privileges, so compromised or overly broad user accounts may increase risk.
Researcher notes
Evidence is mainly from VulDB and CVE records. The affected code is described as unknown, and no vendor advisory, patch, or detailed root cause is included in the provided bundle. Avoid assuming impact beyond low confidentiality loss and improper authorization.
Mitigation direction
Check Eleveo guidance for an official fix or supported workaround.
Restrict access to the call recording web interface to trusted networks and users.
Review role permissions for email-related functions in Eleveo Call Recording.
Monitor requests to /callrec/composeEmailAction.do for unusual low-privilege activity.
Reduce unnecessary accounts and privileges until vendor remediation is available.
Validation and detection
Confirm whether Eleveo Call Recording Software 9.7.0 is deployed.
Identify systems exposing the /callrec/ application path.
Review access logs for /callrec/composeEmailAction.do activity.
Test authorization controls only in an approved defensive environment.
Document affected instances and compensating controls for remediation tracking.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-266: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
4CVSS vectors
6Timeline events
0ADP providers
6Source links
CVSS vector scores
4 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-266 · source CWE mapping
Incorrect Privilege Assignment
Incorrect Privilege Assignment represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.