CVE-2025-34328 is a critical unauthenticated remote code execution vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The flaw resides in the web administration component called F2MAdmin, specifically in the ajaxScript.php script-management endpoint. This endpoint exposes a 'saveScript' action that allows an attacker to write arbitrary data directly to server-side file paths without any authentication. Because the web service runs under the NT AUTHORITY\SYSTEM account on Windows deployments, any uploaded malicious file can be executed with full system privileges. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), enabling attackers to upload executable files or scripts into web-accessible directories. This leads to full remote code execution, complete system compromise, and potential lateral movement within the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects that the attack requires no authentication or user interaction, has low complexity, and results in high confidentiality, integrity, and availability impacts. No patches or exploit code are currently publicly available, but the severity and ease of exploitation make this a critical threat. The vulnerability affects all versions up to 2.6.23, and the vendor has not yet released a patch. The attack surface includes any exposed management interfaces accessible remotely or internally without proper network controls.

For European organizations, this vulnerability poses a severe risk, especially for those relying on AudioCodes Fax Server and IVR appliances in their telephony infrastructure. Successful exploitation allows attackers to gain SYSTEM-level access remotely without authentication, enabling full control over the affected device. This can lead to interception or manipulation of voice and fax communications, disruption of telephony services, and potential pivoting to other internal systems. Critical sectors such as telecommunications providers, financial institutions, government agencies, and large enterprises using these appliances for voice services are at heightened risk. The compromise of these systems could result in significant operational downtime, data breaches involving sensitive communications, and reputational damage. Given the central role of such appliances in unified communications, the availability and integrity of voice services could be severely impacted, affecting business continuity and regulatory compliance under European data protection laws.

1. Immediately restrict network access to the AudioCodes Fax/IVR appliance management interfaces by implementing strict firewall rules and network segmentation, allowing access only from trusted administrative hosts. 2. Employ VPNs or zero-trust network access solutions to secure remote management connections. 3. Monitor web server logs and file system directories for unusual file uploads or modifications, especially in web-accessible directories. 4. Disable or restrict the vulnerable ajaxScript.php endpoint if possible, or apply web application firewall (WAF) rules to block unauthorized requests targeting this endpoint. 5. Regularly audit and inventory all AudioCodes appliances in the environment to ensure no unmanaged or exposed devices exist. 6. Engage with AudioCodes support for any available patches or workarounds and apply them promptly once released. 7. Implement endpoint detection and response (EDR) solutions on network segments hosting these appliances to detect anomalous behavior indicative of exploitation. 8. Educate network and security teams about this vulnerability to ensure rapid detection and response capabilities.