CVE-2025-34334 is an OS command injection vulnerability classified under CWE-78 affecting AudioCodes Limited's Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The vulnerability arises from improper neutralization of special elements in user-supplied parameters within the fax test functionality implemented in AudioCodes_files/TestFax.php. When a fax send test is initiated, the application constructs a command line for the faxsender utility using these parameters without adequate validation or shell argument sanitization. This command line is then embedded into a batch file created in a temporary run directory. The batch file is executed by a backend service running with NT AUTHORITY\SYSTEM privileges, granting the executed commands full system rights. An authenticated attacker with access to the fax test interface can inject arbitrary shell commands into the batch file, leading to remote code execution with SYSTEM-level privileges. Furthermore, the batch files are stored in a directory with overly permissive file system permissions, allowing local low-privilege users to modify these files before execution, thereby escalating their privileges. The vulnerability requires authentication but no additional user interaction, and the attack vector is network accessible. The CVSS 4.0 base score is 8.7, indicating a high-severity issue with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No known public exploits exist at this time, but the potential for severe impact on affected systems is significant, especially given the SYSTEM-level execution context.

For European organizations, this vulnerability poses a critical risk to the security of telephony and fax infrastructure that relies on AudioCodes Fax Server and Auto-Attendant IVR appliances. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands with SYSTEM privileges, potentially resulting in data theft, service disruption, or lateral movement within the network. Confidentiality is at risk due to possible access to sensitive communications and stored data. Integrity and availability can be severely impacted by unauthorized modifications or denial of service caused by malicious commands. Given the appliance’s role in voice and fax communications, disruption could affect business continuity and regulatory compliance, especially in sectors like finance, healthcare, and government where secure communications are critical. The ability for local low-privilege users to escalate privileges also increases insider threat risks. The vulnerability’s network accessibility and lack of required user interaction make it a viable target for attackers once authentication is obtained, emphasizing the need for strict access controls and monitoring.

1. Apply vendor patches immediately once released to address the command injection flaw. 2. Until patches are available, restrict access to the fax test interface to trusted administrators only, using network segmentation and firewall rules. 3. Implement strong authentication mechanisms and monitor authentication logs for suspicious activity. 4. Harden file system permissions on the temporary run directory to prevent unauthorized modification of batch files by local users. 5. Employ application-layer input validation and sanitization to ensure parameters passed to command lines do not contain shell metacharacters. 6. Use host-based intrusion detection systems (HIDS) to monitor for unusual command executions or file modifications in the appliance environment. 7. Regularly audit and review appliance configurations and access controls. 8. Consider isolating the fax/IVR appliance in a dedicated VLAN or network segment to limit exposure. 9. Educate administrators about the risks of authenticated interfaces and the importance of credential security. 10. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.