CVE-2025-34332 is an elevation of privilege vulnerability in AudioCodes Limited's Fax Server and Auto-Attendant IVR appliances, specifically versions up to and including 2.6.23. The appliances include a web administration interface that manages backend Windows services via helper batch scripts located in the directory C:\F2MAdmin\F2E\AudioCodes_files\utils\Services. These scripts are executed by PHP's system() function running under the NT AUTHORITY\SYSTEM account when service control actions are triggered through ajaxPost.php. However, the batch files have overly permissive Access Control Lists (ACLs), allowing any authenticated local user to write and replace the script contents with arbitrary commands. Consequently, when a service start or stop operation occurs, the modified batch script executes with SYSTEM privileges, enabling an attacker with local authenticated access to escalate privileges to the highest system level. The vulnerability does not require user interaction or elevated privileges initially but does require local authentication. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects a local attack vector with low complexity, no authentication bypass, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to affected systems, especially in environments where local user accounts are accessible or where attackers can gain initial footholds.

For European organizations, this vulnerability presents a critical risk to telephony and fax infrastructure that relies on AudioCodes Fax Server and IVR appliances. Successful exploitation allows attackers with local authenticated access to gain SYSTEM-level privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive communications, disruption of voice and fax services, and lateral movement within corporate networks. Given the role of these appliances in business-critical communication, exploitation could impact confidentiality, integrity, and availability of services, affecting operational continuity and compliance with data protection regulations such as GDPR. The risk is heightened in environments with multiple users having local access or where attackers can leverage other vulnerabilities or social engineering to gain local credentials. The lack of user interaction requirement facilitates automated or stealthy privilege escalation once local access is obtained.

1. Immediately audit and restrict permissions on the directory C:\F2MAdmin\F2E\AudioCodes_files\utils\Services and all batch scripts within it to ensure only trusted system administrators have write access. 2. Implement strict local user account management and limit the number of users with local authenticated access to the appliance. 3. Monitor file integrity of the batch scripts using file integrity monitoring tools to detect unauthorized modifications. 4. Restrict access to the web administration interface to trusted networks and use strong authentication mechanisms. 5. Apply any vendor patches or updates addressing this vulnerability as soon as they become available. 6. Consider isolating the appliance in a segmented network zone to limit lateral movement if compromised. 7. Conduct regular security audits and penetration tests focusing on local privilege escalation vectors. 8. Educate administrators and users about the risks of local account misuse and enforce least privilege principles.