Overview CVE-2025-64521 describes an authentication bypass vulnerability in Authentik, an open-source Identity Provider. This vulnerability affects how Authentik handles authentication for OAuth service accounts created when authenticating with client_id and client_secret to an OAuth provider. Specifically, deactivated service accounts could still be used for authentication in versions prior to 2025.8.5 and 2025.10.2. Technical Details When configuring Authentik to use an OAuth provider, a service account is automatically created. In vulnerable versions of Authentik, even if this service account was deactivated (disabled), it could still be used to authenticate. This bypass occurs because the authentication process didn’t properly check the account’s…

Overview CVE-2025-34337 describes a significant security vulnerability affecting eGovFramework common components versions up to and including 4.3.1. This vulnerability is an unauthenticated encryption oracle that allows attackers to retrieve arbitrary files from the server without proper authorization. KISA/KrCERT has identified this vulnerability as “KVE-2023-5281.” Technical Details The vulnerability lies within the Web Editor’s image upload and file delivery functionality. The affected endpoints, /utl/wed/insertImage.do and /utl/wed/insertImageCk.do, encrypt server-side paths, filenames, and MIME types using symmetric encryption and embed them into download URLs returned to the client. The vulnerability arises because these encrypted parameters are trusted by other endpoints like /utl/web/imageSrc.do and…

Overview A critical unauthenticated file upload vulnerability, identified as CVE-2025-34336, has been discovered in eGovFramework/egovframe-common-components versions up to and including 4.3.1. This flaw allows unauthenticated attackers to upload arbitrary files to affected servers, potentially leading to serious security breaches. This vulnerability is also known as KVE-2023-5280, as identified by KISA/KrCERT. Technical Details The vulnerability exists in the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without requiring any authentication. The uploaded content is then processed by a shared upload helper, which stores the file on the server within a framework-controlled path. While a filename extension whitelist is…

Overview CVE-2025-34335 describes a critical authenticated command injection vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. This vulnerability resides in the license activation workflow of versions up to and including 2.6.23. Technical Details The vulnerability exists within the AudioCodes_files/ActivateLicense.php script, which handles license activation. When a user uploads a license file, the application generates a new filename by combining a base name with the extension from the uploaded file’s original name. Critically, this attacker-controlled extension is then incorporated into a command string for fax_server_lic_cmdline.exe without proper input validation, escaping, or argument quotation. This allows an authenticated attacker with access…

Overview CVE-2025-34333 is a significant security vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are affected. This vulnerability allows an authenticated local user to escalate their privileges to SYSTEM, the highest level of privilege on a Windows system, potentially leading to complete system compromise. Technical Details The root cause of CVE-2025-34333 lies in overly permissive file system permissions configured on the web document root. The vulnerable appliances configure the web document root at C:\\F2MAdmin\\F2E and grant modify rights to authenticated local users on this directory. Critically, the associated web server process runs…

Overview CVE-2025-34332 describes a critical local privilege escalation (LPE) vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are vulnerable due to overly permissive access control lists (ACLs) on crucial batch scripts used for managing Windows services. This allows any authenticated local user to modify these scripts and execute arbitrary code with SYSTEM privileges. Technical Details The vulnerability lies within the web administration component of the AudioCodes Fax/IVR appliance. This component uses helper batch scripts, located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services, to control back-end Windows services. When specific service actions are requested through ajaxPost.php, these scripts…

Overview CVE-2025-34331 describes an unauthenticated file read vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances in versions up to and including 2.6.23. This flaw allows remote, unauthenticated attackers to retrieve sensitive files from the appliance by exploiting a weakness in the download.php script. The lack of access controls on this endpoint is the root cause of the problem, enabling attackers to craft requests to download specific files. Technical Details The vulnerability resides in the download.php script, which is designed to facilitate file downloads. However, the script lacks proper authentication and authorization mechanisms. An attacker can specify arbitrary path and…

Overview CVE-2025-34330 describes a significant security vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances. Specifically, versions up to and including 2.6.23 are vulnerable to an unauthenticated file upload vulnerability within the web administration component (F2MAdmin). This flaw allows remote attackers to upload arbitrary files without authentication, potentially leading to the manipulation of IVR audio content or further exploitation. Technical Details The vulnerability resides in the AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php script. This endpoint lacks any form of authentication or authorization. Critically, the script also lacks proper file-type validation. It accepts uploaded files and saves them to the C:\\F2MAdmin\\tmp directory. The filename used for…

Overview A significant security vulnerability, identified as CVE-2025-34329, affects AudioCodes Fax Server and Auto-Attendant IVR appliances up to and including version 2.6.23. This flaw allows unauthenticated remote attackers to upload arbitrary files to the server, potentially leading to remote code execution (RCE) with system-level privileges. Technical Details The vulnerability resides in the F2MAdmin web interface, specifically at the AudioCodes_files/ajaxBackupUploadFile.php endpoint. This script lacks proper authentication, authorization, and file-type validation, enabling attackers to directly upload files. Here’s a breakdown of the exploit: Unauthenticated Access: The ajaxBackupUploadFile.php endpoint does not require any authentication. Directory Creation: The script dynamically determines the backup directory…

Overview A high-severity buffer overflow vulnerability, identified as CVE-2025-13400, has been discovered in Tenda CH22 routers, version 1.0.0.1. This vulnerability allows a remote attacker to potentially execute arbitrary code on the device. The exploit for this vulnerability is now publicly available, increasing the risk of exploitation. Technical Details The vulnerability lies within the formWrlExtraGet function in the /goform/WrlExtraGet file. Specifically, the vulnerability is triggered when manipulating the chkHz argument. By sending a specially crafted request with an overly long chkHz value, an attacker can overwrite the buffer, potentially leading to arbitrary code execution. CVSS Analysis CVE ID: CVE-2025-13400 Severity: HIGH…