Overview
CVE-2025-34331 describes an unauthenticated file read vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances in versions up to and including 2.6.23. This flaw allows remote, unauthenticated attackers to retrieve sensitive files from the appliance by exploiting a weakness in the download.php script. The lack of access controls on this endpoint is the root cause of the problem, enabling attackers to craft requests to download specific files.
Technical Details
The vulnerability resides in the download.php script, which is designed to facilitate file downloads. However, the script lacks proper authentication and authorization mechanisms. An attacker can specify arbitrary path and filename parameters in a request, bypassing intended security restrictions. While the application logic might restrict downloads to specific file extensions, this limitation can potentially be circumvented or is not sufficient to prevent the retrieval of sensitive data. The critical risk comes from the ability to download backup archives that might contain internal databases, credential hashes, and other sensitive configuration information.
The vulnerability exists because the application doesn’t validate the identity of the user requesting the download nor does it verify if the user has sufficient privileges to access the requested file.
CVSS Analysis
Due to the data provided, a formal CVSS score is currently unavailable (N/A). However, based on the description, the potential impact is significant. While the vector is network-based and requires no privileges, the ability to retrieve sensitive data (including credential hashes) suggests a high potential for lateral movement and further compromise. A manual assessment would likely result in a high CVSS score.
Possible Impact
Successful exploitation of CVE-2025-34331 can have severe consequences, including:
- Disclosure of Administrative Credentials: Retrieval of administrative password hashes allows attackers to gain privileged access to the appliance and potentially other systems on the network.
- Exposure of Sensitive Configuration Data: Access to configuration files exposes sensitive information such as API keys, database connection strings, and other internal details.
- Lateral Movement: Gaining access to credentials and configuration data can enable attackers to move laterally within the network, compromising other systems and data.
- Data Breach: Sensitive data stored within the appliance or accessible through it could be exposed, leading to a data breach.
Mitigation and Patch Steps
Unfortunately, a patch is unlikely to be available as the product has reached End-of-Service. According to AudioCodes (https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf) , this product is no longer supported. Therefore, the following mitigation steps are recommended:
- Immediate Shutdown/Disconnection: The most effective mitigation is to immediately shut down and disconnect the affected AudioCodes Fax Server and Auto-Attendant IVR appliances from the network.
- Network Segmentation: If immediate shutdown is not possible, isolate the appliance within a tightly controlled network segment with strict access controls.
- Monitor Network Traffic: Monitor network traffic to and from the appliance for any suspicious activity, such as unexpected file downloads or attempts to access the
download.phpscript. - Web Application Firewall (WAF) Rules: If a WAF is in place, create rules to block access to the
download.phpscript or to filter out malicious requests containing suspicious path and filename parameters. However, consider the bypassability of WAF rules. - Implement Strong Access Controls (If Possible): If feasible and applicable, implement access controls on the file system to restrict access to sensitive files. Note that this mitigation may not be fully effective given the nature of the unauthenticated file read vulnerability.
- Upgrade to a Supported Solution: The best long-term solution is to migrate to a supported Fax Server and IVR solution from a different vendor.
