CVE-2025-34329

Exploit

EPSS 1.02%
Veröffentlicht 19.11.2025 16:23:09
Zuletzt bearbeitet 12.12.2025 16:09:44
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated Backup Upload RCE via ajaxBackupUploadFile.php

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Audiocodes ≫ Fax Server Version <= 2.6.23

Audiocodes ≫ Interactive Voice Response Version <= 2.6.23

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.02%	0.588

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf

Product

https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html

Third Party Advisory

Exploit

https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt

Third Party Advisory

Exploit

https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-34329

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34329

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34329

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-34329