Overview
CVE-2025-34333 is a significant security vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are affected. This vulnerability allows an authenticated local user to escalate their privileges to SYSTEM, the highest level of privilege on a Windows system, potentially leading to complete system compromise.
Technical Details
The root cause of CVE-2025-34333 lies in overly permissive file system permissions configured on the web document root. The vulnerable appliances configure the web document root at C:\\F2MAdmin\\F2E and grant modify rights to authenticated local users on this directory. Critically, the associated web server process runs as NT AUTHORITY\\SYSTEM. This combination allows a local user to create or modify server-side scripts (e.g., ASP or PHP) within the webroot.
By crafting a malicious script and then triggering it via an HTTP request to the appliance’s web server, a local user can execute arbitrary code with SYSTEM privileges. This could involve installing malware, creating new administrative accounts, or exfiltrating sensitive data.
CVSS Analysis
While currently marked as N/A, given the severity of the potential impact (SYSTEM level access) and ease of exploitation (authenticated local user required), a CVSS score would likely be in the 7.0 – 9.0 range, indicating a HIGH to CRITICAL severity vulnerability. A more detailed analysis would be required to calculate the specific CVSS score.
Possible Impact
The exploitation of CVE-2025-34333 can have severe consequences, including:
- Complete System Compromise: An attacker gaining SYSTEM privileges can take full control of the affected appliance.
- Data Breach: Sensitive data stored on the appliance, or accessible through it, could be stolen.
- Malware Installation: The attacker could install malware, such as ransomware or backdoors, on the system.
- Lateral Movement: If the appliance is part of a larger network, the attacker could use it as a stepping stone to compromise other systems.
- Denial of Service: The attacker could disable the appliance, disrupting fax and IVR services.
Mitigation or Patch Steps
Unfortunately, according to the AudioCodes product notice, the Auto-Attendant IVR solution is End-of-Service. Therefore, no official patch is expected to be released. The recommended mitigation steps are:
- Discontinue Use: The most effective mitigation is to discontinue the use of the affected AudioCodes Fax Server and Auto-Attendant IVR appliances entirely.
- Network Segmentation: If immediate decommissioning is not possible, isolate the appliance on a separate network segment with strict access controls to limit the potential impact of a compromise.
- Webroot Permissions Hardening (Advanced): Although not officially supported, advanced users could attempt to manually harden the permissions on the
C:\\F2MAdmin\\F2Edirectory to restrict write access for non-administrative users. However, this should be done with caution and thorough testing, as it could impact the functionality of the appliance. This is not a fully supported or recommended mitigation strategy. - Monitor for Suspicious Activity: Closely monitor the appliance for any unusual activity, such as unauthorized file modifications or suspicious network connections.
