CVE-2025-34329

Description

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM.

PUBLISHED Reserved 2025-04-15 | Published 2025-11-19 | Updated 2025-11-20 | Assigner VulnCheck

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Credits

Pierre Barre finder

References

www.audiocodes.com/...ocodes-auto-attendant-ivr-solution.pdf vendor-advisory patch mitigation

pierrekim.github.io/...ocodes-fax-ivr-8-vulnerabilities.html technical-description exploit

pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt technical-description exploit

www.vulncheck.com/...kup-upload-rce-via-ajaxbackupuploadfile third-party-advisory

cve.org (CVE-2025-34329)

nvd.nist.gov (CVE-2025-34329)

Download JSON