CVE-2025-34332 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The affected devices include a web administration interface that manages backend Windows services through helper batch scripts located in the directory C:\F2MAdmin\F2E\AudioCodes_files\utils\Services. These batch files are executed by PHP scripts (ajaxPost.php) using the system() call under the NT AUTHORITY\SYSTEM account. Due to overly permissive Access Control Lists (ACLs), any authenticated local user can write to these batch files, replacing their contents with arbitrary commands. When a service start or stop operation is triggered, the modified batch script executes with SYSTEM privileges, enabling elevation of local privileges. This flaw does not require user interaction and can be exploited with low complexity since the attacker only needs authenticated local access. The vulnerability impacts confidentiality, integrity, and availability by allowing attackers to execute arbitrary commands as SYSTEM, potentially leading to full system compromise. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects local attack vector, low attack complexity, no authentication required beyond local user privileges, and high impact on confidentiality, integrity, and availability. No patches are currently linked, and no exploits are known in the wild, but the risk remains significant due to the nature of the flaw and the criticality of the affected systems in telephony infrastructure.

For European organizations, this vulnerability poses a serious risk especially to those relying on AudioCodes Fax Server and IVR appliances for telephony and fax services. Successful exploitation allows an authenticated local user to escalate privileges to SYSTEM level, potentially leading to full control over the appliance and underlying Windows system. This can result in unauthorized access to sensitive communications, disruption of telephony services, and lateral movement within the network. Given the critical role of these appliances in business communications, exploitation could impact operational continuity and data confidentiality. The vulnerability is particularly concerning for sectors with stringent regulatory requirements such as finance, healthcare, and government agencies in Europe. Additionally, the lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

Immediate mitigation should focus on restricting write permissions to the batch script directory (C:\F2MAdmin\F2E\AudioCodes_files\utils\Services) to trusted administrative accounts only, removing write access from all authenticated local users. Organizations should audit and harden ACLs on these files and directories to enforce the principle of least privilege. Network segmentation and strict access controls should limit local user access to the affected appliances. Monitoring and alerting for unexpected modifications to these batch files or unusual service start/stop operations can provide early detection. Until official patches are released, consider disabling or restricting the web administration interface if feasible. Vendors and customers should engage with AudioCodes for timely patch deployment once available. Additionally, enforcing strong authentication and limiting local user accounts on these appliances reduces the attack surface.