CVE-2025-34328 is a critical remote code execution vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The root cause is an unrestricted file upload vulnerability (CWE-434) in the web administration component called F2MAdmin. Specifically, the ajaxScript.php endpoint exposes a saveScript action that allows unauthenticated attackers to upload arbitrary files to the server. These files are saved under the privileges of the web service account, which runs as NT AUTHORITY\SYSTEM on Windows deployments, granting full system-level control. Because the uploaded files reside in a web-accessible directory, attackers can execute malicious scripts remotely without any authentication or user interaction. The vulnerability is severe due to the combination of unauthenticated access, high privilege execution context, and the ability to execute arbitrary code remotely. The CVSS 4.0 vector reflects these factors with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, but the risk is substantial given the critical nature of the flaw and the widespread use of AudioCodes appliances in enterprise telephony environments.

For European organizations, the impact of this vulnerability is significant. AudioCodes appliances are commonly deployed in telecommunications infrastructure, enterprise voice systems, and unified communications environments. Exploitation could lead to complete system compromise, allowing attackers to intercept or manipulate voice communications, disrupt fax and IVR services, or use the compromised appliance as a foothold for lateral movement within corporate networks. This could result in data breaches, service outages, and reputational damage. Critical sectors such as finance, government, healthcare, and telecommunications in Europe rely heavily on secure voice infrastructure, making them prime targets. The ability to execute code as SYSTEM without authentication amplifies the threat, potentially enabling ransomware deployment or espionage activities. The lack of known exploits in the wild suggests a window for proactive defense, but also a risk that attackers may develop exploits rapidly given the high severity.

1. Immediately restrict network access to the AudioCodes Fax/IVR appliance management interfaces, ideally limiting access to trusted internal IPs or via VPN. 2. Monitor web server logs and file directories for unusual file uploads or execution attempts, focusing on the ajaxScript.php endpoint and web-accessible directories. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file upload patterns targeting this endpoint. 4. Apply vendor patches or updates as soon as they become available; if no patch exists yet, consider temporary compensating controls such as disabling the vulnerable web administration component or isolating the appliance from untrusted networks. 5. Conduct thorough audits of existing appliances to identify any signs of compromise or unauthorized file uploads. 6. Employ network segmentation to limit the appliance’s access to critical internal systems and data. 7. Educate IT and security teams about this vulnerability to ensure rapid detection and response to any exploitation attempts.