Overview
CVE-2025-34330 describes a significant security vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are vulnerable to an unauthenticated file upload vulnerability within the web administration component (F2MAdmin). This flaw allows remote attackers to upload arbitrary files without authentication, potentially leading to the manipulation of IVR audio content or further exploitation.
Technical Details
The vulnerability resides in the AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php script. This endpoint lacks any form of authentication or authorization. Critically, the script also lacks proper file-type validation. It accepts uploaded files and saves them to the C:\\F2MAdmin\\tmp directory. The filename used for saving is derived from application constants, which, while not directly controllable by the attacker, still allows for overwriting existing files within the directory. This combination of factors allows an unauthenticated attacker to upload malicious files.
CVSS Analysis
Currently, a CVSS score for CVE-2025-34330 has not been officially assigned (N/A). However, considering the unauthenticated nature of the file upload and the potential impact, a high severity score is likely. The ability to execute arbitrary code is not directly possible via this vulnerability, but an attacker could overwrite existing audio files, potentially causing a denial of service, social engineering attacks, or as a stepping stone to further compromise the system.
Possible Impact
The exploitation of CVE-2025-34330 can have several serious consequences:
- Tampering with IVR Audio Content: Attackers can replace legitimate IVR prompts with malicious audio, leading to misinformation or social engineering attacks against callers.
- Music-on-Hold Manipulation: Replacing music-on-hold files with offensive or malicious audio.
- Preparation for Further Attacks: Uploaded files could be leveraged in subsequent attacks, such as cross-site scripting (XSS) if the
/tmpdirectory is web-accessible, or code execution if a separate vulnerability exists that can execute files from this location. - Denial of Service: Replacing important audio files with corrupted ones can prevent IVR functionality.
Mitigation or Patch Steps
Unfortunately, based on the provided information, AudioCodes has released an End-of-Service announcement for the Auto-Attendant IVR solution. Therefore, a direct patch is unlikely. Recommended mitigation strategies include:
- Discontinue Use: The safest approach is to discontinue the use of the affected AudioCodes Fax Server and Auto-Attendant IVR appliances, especially if they are internet-facing.
- Network Segmentation: If discontinuing use is not immediately feasible, isolate the appliances on a separate network segment with strict access control policies.
- Web Application Firewall (WAF): Deploying a WAF in front of the appliance might help to filter out malicious requests targeting the
ajaxPromptUploadFile.phpendpoint. However, this is not a guaranteed solution. - Monitor Access Logs: Closely monitor access logs for any suspicious activity targeting the
AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.phpendpoint.
Important: Given the lack of official support and patches, migrating to a more secure and supported solution is strongly advised.
