Overview
A significant security vulnerability, identified as CVE-2025-34329, affects AudioCodes Fax Server and Auto-Attendant IVR appliances up to and including version 2.6.23. This flaw allows unauthenticated remote attackers to upload arbitrary files to the server, potentially leading to remote code execution (RCE) with system-level privileges.
Technical Details
The vulnerability resides in the F2MAdmin web interface, specifically at the AudioCodes_files/ajaxBackupUploadFile.php endpoint. This script lacks proper authentication, authorization, and file-type validation, enabling attackers to directly upload files.
Here’s a breakdown of the exploit:
- Unauthenticated Access: The
ajaxBackupUploadFile.phpendpoint does not require any authentication. - Directory Creation: The script dynamically determines the backup directory path based on the application’s configuration. Critically, it also creates this directory if it doesn’t already exist.
- Arbitrary File Upload: Attackers can upload any file to the determined location.
- Filename Control: The attacker controls the filename used when the uploaded file is moved to the backup directory.
- Exploitation: On Windows deployments, if the backup directory resolves to a location on the system drive, an attacker can upload web server or interpreter configuration files. This can lead to a scenario where a log file or other server-controlled resource is treated as executable code. Subsequent HTTP requests can then trigger arbitrary command execution under the web server account, which typically runs as
NT AUTHORITY\SYSTEM.
CVSS Analysis
CVSS score is not available. However, given the unauthenticated nature of the vulnerability and the potential for remote code execution as SYSTEM, this is considered a critical vulnerability.
Possible Impact
Successful exploitation of CVE-2025-34329 can have severe consequences, including:
- Complete System Compromise: Attackers gain full control over the affected appliance, including access to sensitive data, system configuration, and network resources.
- Data Breach: Fax and IVR data, which may contain confidential information, can be accessed and exfiltrated.
- Service Disruption: The appliance can be taken offline, disrupting fax and IVR services.
- Lateral Movement: Compromised appliances can be used as a foothold to attack other systems on the network.
Mitigation and Patch Steps
Unfortunately, AudioCodes has issued an End-of-Service announcement for their Auto-Attendant IVR solution. This means that there will likely be no official patch for this vulnerability.
Therefore, the recommended mitigation steps are:
- Upgrade: If possible, migrate to a supported fax/IVR solution.
- Network Segmentation: Isolate the AudioCodes appliance from the rest of the network to limit the potential impact of a successful attack.
- Access Control Lists (ACLs): Restrict network access to the appliance to only authorized users and systems.
- Web Application Firewall (WAF): Deploy a WAF to filter malicious requests to the
ajaxBackupUploadFile.phpendpoint. This may require custom rules. - Monitor for Suspicious Activity: Monitor network traffic and system logs for any signs of exploitation attempts, such as unauthorized file uploads or unusual command execution.
Important Note: Since an official patch is unlikely, these mitigation steps may not be fully effective and should be implemented in conjunction with a thorough risk assessment.
References
Pierre Kim’s Advisory
Pierre Kim’s Blog Post
AudioCodes End-of-Service Notice
VulnCheck Advisory
