CVE-2025-34329 is a critical vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The flaw resides in an unauthenticated backup upload endpoint located at AudioCodes_files/ajaxBackupUploadFile.php within the F2MAdmin web interface. This endpoint accepts file uploads without any authentication, authorization, or file-type validation. The script uses an application-configured backup folder path, creating the directory if it does not exist, and moves the uploaded file there using the attacker-controlled filename. On default Windows deployments, the backup directory typically resolves to the system drive, allowing an attacker to upload malicious files such as web server or interpreter configuration files. These files can cause log files or other server-controlled resources to be treated as executable code. Consequently, an attacker can trigger arbitrary command execution by sending crafted HTTP requests, running code under the web server account, which operates with NT AUTHORITY\SYSTEM privileges. This vulnerability is remotely exploitable without any authentication or user interaction, making it extremely dangerous. The CVSS 4.0 score of 9.3 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the vulnerability's characteristics make it a prime target for attackers aiming to gain full system control on affected appliances.

The impact on European organizations using AudioCodes Fax and IVR appliances is severe. Successful exploitation grants attackers remote code execution with SYSTEM-level privileges, enabling full control over the affected device. This can lead to interception or manipulation of sensitive telephony and fax communications, disruption of critical voice services, and lateral movement within corporate networks. Given the appliance's role in handling voice and fax traffic, attackers could also use compromised devices as pivot points for further attacks or espionage. The lack of authentication and ease of exploitation increase the likelihood of attacks, potentially affecting confidentiality, integrity, and availability of communication infrastructure. Disruption or compromise of these systems could impact sectors reliant on telephony services such as finance, healthcare, and government agencies across Europe. Additionally, the appliance's integration with broader IT infrastructure means that compromise could facilitate broader network intrusions or data breaches.

European organizations should immediately restrict network access to the vulnerable ajaxBackupUploadFile.php endpoint, ideally limiting it to trusted administrative networks only. Deploy network-level controls such as firewalls or VPNs to prevent unauthorized external access. Monitor web server logs for unusual file uploads or HTTP requests targeting the backup upload endpoint. Since no official patches are currently available, organizations should engage with AudioCodes for updates and apply vendor patches promptly once released. Implement application-layer filtering or web application firewalls (WAFs) to detect and block malicious upload attempts. Review and harden the configuration of backup directories to ensure they do not reside on system drives or locations treated as executable by the web server. Conduct thorough audits of deployed appliances to identify vulnerable versions and consider temporary removal or replacement of affected devices in critical environments. Finally, establish incident response plans to quickly address any signs of compromise related to this vulnerability.