Executive Summary
A high-severity SQL injection vulnerability has been disclosed in Aster Telecom Azcall versions 10 and 11, tracked as CVE-2026-15482 with a CVSS score of 7.3 (HIGH). The flaw exists in the platform's HTTP handler component, where attacker-controlled URL parameters are not properly sanitized before being incorporated into database queries.
Published by NVD on July 12, 2026, this vulnerability exposes telecom platforms to database extraction, authentication bypass, and potential further compromise of backend systems.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-15482 |
| CVSS Score | 7.3 (HIGH) |
| Type | SQL Injection |
| Component | HTTP Handler — Admin Panel |
| Vulnerable Path | /azcall/adm/gestao_loja/sis.php?t=consultar |
| Affected Parameters | nome, perfil, status |
| Attack Vector | Network |
| Authentication | Context-dependent (admin panel) |
| Published | July 12, 2026 |
Technical Details
Root Cause
The vulnerability resides in the file sis.php within the Azcall admin panel (/azcall/adm/gestao_loja/). The PHP script accepts the t=consultar query action, and the parameters nome, perfil, and status are passed directly into SQL queries without adequate sanitization or parameterization.
This is a classic unsanitized input SQL injection — one of the most persistent and well-understood vulnerability classes in web application security.
Vulnerable Endpoint
GET /azcall/adm/gestao_loja/sis.php?t=consultar&nome=[INJECT]&perfil=[INJECT]&status=[INJECT]
An attacker who can reach this endpoint can manipulate the SQL query executed against the backend database.
Attack Scenarios
Scenario 1: Data Extraction
- Inject UNION-based or blind SQLi payload into `nome` parameter
- Extract user credentials, customer records, billing data from database
Scenario 2: Authentication Bypass
- Manipulate `perfil` or `status` conditions to bypass access controls
- Gain unauthorized access to restricted admin functions
Scenario 3: Database Enumeration
- Enumerate database schema, tables, and column names
- Map internal data structures for targeted extractionSQL Injection Classes Applicable
| Type | Description |
|---|---|
| Error-based | Force database errors that reveal structure/data |
| UNION-based | Append additional SELECT queries to extract data |
| Blind Boolean | Infer data from true/false responses |
| Time-based Blind | Use time delays (SLEEP()) to extract data bit by bit |
About Aster Telecom Azcall
Azcall is a telecom management platform used by service providers to manage stores, subscriptions, and customer accounts. The admin panel (/adm/) is the internal management interface for operators. SQL injection in this context puts at risk:
- Customer PII (names, contacts, billing details)
- Subscription and service data
- Operator credentials and access tokens
- Internal business data managed through the platform
Affected Versions
| Product | Affected Versions |
|---|---|
| Aster Telecom Azcall | Version 10 |
| Aster Telecom Azcall | Version 11 |
Check with the vendor for patch availability and upgrade paths.
Remediation
Immediate Actions
- Restrict access to
/azcall/adm/— limit to trusted IP ranges via firewall or web server ACLs - Apply vendor patch if available — contact Aster Telecom for updated builds
- Implement a Web Application Firewall (WAF) rule to block SQL injection patterns on the affected parameters
- Audit logs for existing exploitation — look for SQLi payloads in request logs targeting
sis.php
Developer Remediation (If Code Access Is Available)
Replace raw query construction with parameterized queries / prepared statements:
// VULNERABLE (do not use)
$query = "SELECT * FROM loja WHERE nome = '" . $_GET['nome'] . "'";
// SAFE — parameterized query
$stmt = $pdo->prepare("SELECT * FROM loja WHERE nome = ?");
$stmt->execute([$_GET['nome']]);Also apply:
- Input validation — whitelist acceptable values for
perfilandstatus - Least privilege — database user for the app should have minimal permissions
- Error suppression — disable verbose database error output in production
Detection
Log Review
Search web server access logs for SQLi indicators targeting the vulnerable path:
grep "sis.php" access.log | grep -iE "(union|select|sleep|benchmark|0x|--|%27|%22)"Indicators of Compromise
| Indicator | Description |
|---|---|
UNION SELECT in request parameters | UNION-based SQLi attempt |
SLEEP() or BENCHMARK() in params | Time-based blind SQLi |
-- or # comment sequences | Query termination injection |
Large numbers of requests to sis.php | Automated SQLi scanning |
| Unusual data volumes in responses | Successful data extraction |
Key Takeaways
- CVSS 7.3 HIGH — SQL injection in Aster Telecom Azcall admin panel
- Parameters
nome,perfil,statusinsis.phpare vulnerable to injection - Restrict admin panel access via IP allowlisting immediately
- Apply WAF rules to block SQLi patterns on the affected endpoint
- Engage the vendor for an official patch — consider upgrading or migrating if unsupported