CVE-2025-34333 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to and including version 2.6.23. The core issue is that the web document root directory (C:\F2MAdmin\F2E) is configured with overly permissive file system permissions, granting authenticated local users modify rights. The associated web server process runs under the NT AUTHORITY\SYSTEM account, which has the highest privileges on Windows systems. This misconfiguration allows any authenticated local user to create or alter server-side scripts within the webroot. By subsequently sending crafted HTTP requests to trigger these scripts, an attacker can execute arbitrary code with SYSTEM-level privileges. The vulnerability does not require user interaction and has a low attack complexity but requires local authentication. The CVSS v4.0 score is 8.5 (high severity), reflecting the critical impact on confidentiality, integrity, and availability. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability stems from improper default permissions, a common security misconfiguration that can lead to privilege escalation and remote code execution in environments where local user access is possible.

For European organizations, exploitation of this vulnerability could result in complete system compromise of AudioCodes Fax/IVR appliances, leading to unauthorized access to sensitive telephony and fax communications. Attackers gaining SYSTEM privileges can manipulate call routing, intercept or alter fax transmissions, disrupt IVR services, or use the compromised appliance as a foothold for lateral movement within the network. This threatens confidentiality of communications, integrity of telephony services, and availability of critical voice infrastructure. Organizations relying on these appliances for customer service, emergency response, or internal communications may face operational disruptions and data breaches. Given the appliance’s role in telephony infrastructure, the impact extends to regulatory compliance risks under GDPR if personal data is exposed. The requirement for local authentication limits remote exploitation but insider threats or compromised credentials could enable attacks. The lack of known exploits reduces immediate risk but does not eliminate it, especially in environments with multiple users having local access.

European organizations should immediately audit and restrict file system permissions on the web document root directory (C:\F2MAdmin\F2E) to remove modify rights from non-administrative local users. Limit local user accounts on the appliance to only trusted personnel and enforce strong authentication controls. Monitor and log local user activities and HTTP requests to detect unauthorized script modifications or suspicious access patterns. If possible, isolate the appliance network segment to reduce exposure. Engage with AudioCodes support for any available patches or configuration updates addressing this issue. Until patches are available, consider disabling or restricting web server functionality if not essential. Conduct regular security assessments of telephony infrastructure and implement endpoint protection on devices with local access. Educate administrators and users on the risks of local privilege abuse and enforce strict access control policies. Finally, maintain up-to-date backups of appliance configurations to enable recovery in case of compromise.