Overview
CVE-2025-34335 describes a critical authenticated command injection vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. This vulnerability resides in the license activation workflow of versions up to and including 2.6.23.
Technical Details
The vulnerability exists within the AudioCodes_files/ActivateLicense.php script, which handles license activation. When a user uploads a license file, the application generates a new filename by combining a base name with the extension from the uploaded file’s original name.
Critically, this attacker-controlled extension is then incorporated into a command string for fax_server_lic_cmdline.exe without proper input validation, escaping, or argument quotation. This allows an authenticated attacker with access to the license upload interface to inject arbitrary shell metacharacters within the filename extension.
By crafting a malicious filename extension, attackers can inject and execute arbitrary commands on the system as NT AUTHORITY\SYSTEM, the highest privilege level on Windows systems.
CVSS Analysis
Currently, no CVSS score is available for CVE-2025-34335. However, given the ability to achieve arbitrary command execution as NT AUTHORITY\SYSTEM, the vulnerability is likely to be rated as Critical once a score is assigned. Factors contributing to a high score include:
- Remote Command Execution: Attackers can execute arbitrary commands on the target system.
- Privilege Escalation: The vulnerability allows attackers to gain
NT AUTHORITY\SYSTEMprivileges. - Authentication Required: While authentication is required, the relatively low barrier to entry (access to the license upload interface) increases the risk.
Possible Impact
Successful exploitation of CVE-2025-34335 can have severe consequences, including:
- Complete System Compromise: Attackers can gain full control of the affected AudioCodes appliance.
- Data Breach: Sensitive data stored on the appliance can be accessed and exfiltrated.
- Malware Installation: The appliance can be used to install malware and establish a foothold in the network.
- Denial of Service: Attackers can disrupt the normal operation of the fax server and IVR system.
- Lateral Movement: The compromised appliance can be used to attack other systems on the network.
Mitigation and Patch Steps
Unfortunately, AudioCodes has announced the End of Service for their Auto-Attendant IVR solution. Therefore a patch is unlikely to be released.
Recommended mitigation steps include:
- Discontinue Use: The most secure course of action is to discontinue the use of affected AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23.
- Network Segmentation: If discontinuing use is not immediately possible, isolate the affected appliance on a segmented network to limit potential damage from a successful attack.
- Monitor Network Traffic: Closely monitor network traffic to and from the appliance for suspicious activity.
- Disable Unnecessary Services: Disable any unnecessary services on the appliance to reduce the attack surface.
Important: Given the End-of-Life status and the severity of this vulnerability, immediate action is crucial to protect your network. Evaluate replacing the appliance immediately. Contact AudioCodes support for possible workaround options, but understand that a complete fix may not be available.
References
Pierre Kim Advisory
Pierre Kim Blog Post
AudioCodes End of Service Notice (PDF)
VulnCheck Advisory
