CVE-2025-34329 is a critical vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The vulnerability arises from an unauthenticated backup upload endpoint located at AudioCodes_files/ajaxBackupUploadFile.php within the F2MAdmin web interface. This endpoint allows attackers to upload arbitrary files without any authentication, authorization, or file-type validation. The script uses application configuration to determine the backup folder path and creates the directory if it does not exist, then moves the uploaded file there using the attacker-controlled filename. On default Windows deployments, the backup directory resolves to the system drive, which enables attackers to upload files such as web server or interpreter configuration files that cause server logs or other server-controlled resources to be treated as executable code. Consequently, an attacker can trigger arbitrary command execution by sending crafted HTTP requests, running under the NT AUTHORITY\SYSTEM account, which has the highest privileges on Windows systems. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the high privileges gained make this a significant threat. The lack of authentication and file validation combined with default deployment paths exacerbate the risk. This vulnerability could be leveraged for full system compromise, lateral movement, and persistent access within affected networks.

For European organizations, this vulnerability poses a severe risk to telephony and fax infrastructure relying on AudioCodes Fax Server and Auto-Attendant IVR appliances. Successful exploitation leads to full remote code execution with SYSTEM privileges, enabling attackers to compromise confidentiality, integrity, and availability of critical communication systems. This can result in interception or manipulation of voice and fax communications, disruption of telephony services, and potential pivoting to other internal systems. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that depend on these appliances for secure communications are particularly vulnerable. The unauthenticated nature of the exploit increases the likelihood of attacks originating from external threat actors, including cybercriminals and nation-state actors. Additionally, the ability to execute arbitrary commands at the highest privilege level can facilitate deployment of ransomware, data exfiltration, or sabotage. The impact extends beyond the affected device to the broader network and organizational operations, potentially causing significant operational and reputational damage.

1. Immediately restrict network access to the vulnerable backup upload endpoint (AudioCodes_files/ajaxBackupUploadFile.php) using firewalls, network segmentation, or access control lists to limit exposure to trusted administrators only. 2. Monitor and audit web server logs for any suspicious upload attempts or unusual HTTP requests targeting the backup upload endpoint. 3. Apply vendor-supplied patches or firmware updates as soon as they become available to remediate the vulnerability. 4. If patches are not yet available, consider disabling or removing the F2MAdmin web interface or the backup upload functionality temporarily to prevent exploitation. 5. Harden the server environment by ensuring the backup directory is not located on the system drive or is configured to prevent execution of uploaded files (e.g., using NTFS permissions, AppLocker, or Windows Defender Application Control). 6. Implement strict file upload validation and filtering mechanisms to prevent dangerous file types from being accepted. 7. Conduct regular vulnerability assessments and penetration testing focused on telephony infrastructure to detect similar weaknesses. 8. Educate IT and security teams about this vulnerability and the importance of securing telephony appliances. 9. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.