Overview
CVE-2025-34332 describes a critical local privilege escalation (LPE) vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are vulnerable due to overly permissive access control lists (ACLs) on crucial batch scripts used for managing Windows services. This allows any authenticated local user to modify these scripts and execute arbitrary code with SYSTEM privileges.
Technical Details
The vulnerability lies within the web administration component of the AudioCodes Fax/IVR appliance. This component uses helper batch scripts, located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services, to control back-end Windows services. When specific service actions are requested through ajaxPost.php, these scripts are invoked by PHP using the system() function, running under the NT AUTHORITY\\SYSTEM account.
Crucially, the ACLs on the batch files within the Services directory are overly permissive, granting write access to any authenticated local user. This means a malicious user can replace the content of these scripts with arbitrary commands. When the next service start/stop operation is triggered through the web interface, the modified script is executed as SYSTEM, granting the attacker complete control over the system.
CVSS Analysis
While a CVSS score is not yet available, this vulnerability represents a high-risk scenario. Given that it allows local privilege escalation to SYSTEM, it is likely to receive a high CVSS score upon formal assignment.
Possible Impact
Successful exploitation of CVE-2025-34332 allows a local attacker to gain complete control over the affected AudioCodes Fax Server and Auto-Attendant IVR appliance. This can lead to:
- Full system compromise: The attacker gains complete control over the server.
- Data breach: Sensitive data stored on the server can be accessed and exfiltrated.
- Service disruption: The attacker can disable critical services, disrupting fax and IVR functionality.
- Malware deployment: The attacker can install malware and use the compromised server as a foothold for further attacks within the network.
Mitigation or Patch Steps
Unfortunately, official patches are unlikely since the affected products are nearing or have reached their End-of-Service life. According to AudioCodes’ End-of-Service Product Notice, the suggested mitigation is to upgrade to a supported product.
If upgrading is not immediately feasible, consider the following workaround (although its effectiveness and stability are not guaranteed and should be thoroughly tested in a non-production environment before implementation):
- Restrict ACLs: Modify the ACLs on the batch files located in
C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Servicesto restrict write access to only theSYSTEMaccount and the administrators group. This can be done using the Windowsicaclscommand. - Monitor Batch Script Integrity: Implement a system that regularly checks the integrity of the batch files in the
Servicesdirectory. Any unauthorized modification should trigger an alert. - Network Segmentation: Isolate the AudioCodes appliance on a separate network segment with strict access control policies to limit the potential impact of a compromise.
