CVE-2025-34331 is a critical vulnerability categorized under CWE-306 (Missing Authentication for Critical Function) found in AudioCodes Limited's Fax Server and Auto-Attendant IVR appliances, specifically versions up to and including 2.6.23. The vulnerability resides in the download.php script, which implements a file download mechanism without enforcing access control or authentication. This flaw allows remote attackers to specify arbitrary file paths and filenames within allowed file extensions to retrieve files stored on the appliance. Although the application logic restricts downloads to specific file types, sensitive backup archives containing internal databases and credential hashes are accessible. These archives may include administrative password hashes and other sensitive configuration data, leading to potential compromise of administrative credentials and internal system information. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, with low attack complexity and no privileges required. No patches have been linked yet, and no active exploitation has been reported, but the exposure of sensitive data could facilitate further attacks or unauthorized access if exploited.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of critical telephony infrastructure. AudioCodes Fax and IVR appliances are commonly used in enterprise voice and fax communications, including in sectors such as finance, healthcare, and government. Exposure of administrative password hashes and configuration data could lead to unauthorized administrative access, enabling attackers to manipulate voice services, intercept communications, or disrupt operations. The compromise of backup archives may also reveal sensitive customer or internal data, violating data protection regulations such as GDPR. The lack of authentication and ease of exploitation means attackers can remotely access sensitive files without prior access, increasing the likelihood of targeted or opportunistic attacks. This could result in operational disruption, reputational damage, and regulatory penalties for affected organizations.

Organizations should immediately verify if they are running affected versions of AudioCodes Fax Server or Auto-Attendant IVR appliances (up to 2.6.23). Until a vendor patch is available, network-level mitigations should be applied, including restricting access to the management interface and download.php endpoint via firewall rules or network segmentation, allowing only trusted IP addresses. Monitoring and logging access to the appliance should be enhanced to detect unusual file download requests. Administrators should change all administrative passwords and consider reissuing credentials if compromise is suspected. Additionally, organizations should review backup storage and ensure sensitive archives are protected with encryption and access controls. Regular vulnerability scanning and penetration testing focusing on telephony infrastructure can help identify exploitation attempts. Once a vendor patch is released, prompt application is critical. Engaging with AudioCodes support for guidance and updates is recommended.