CVE-2025-34335 is an authenticated OS command injection vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The vulnerability arises in the license activation process, specifically within the AudioCodes_files/ActivateLicense.php script. When a license file is uploaded, the application generates a new filename by concatenating a base name with the extension extracted from the original uploaded file name. This extension is attacker-controlled and incorporated directly into a command line string executed by fax_server_lic_cmdline.exe without any input validation, escaping, or proper argument quoting. As a result, an authenticated user can craft a filename extension containing shell metacharacters to inject arbitrary commands. These commands execute with NT AUTHORITY\SYSTEM privileges, granting full control over the appliance. The vulnerability requires authentication but no additional user interaction. The CVSS 4.0 score is 8.7 (high severity), reflecting the network attack vector, low complexity, no privileges required beyond authentication, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a critical risk due to the elevated privileges and potential for complete system compromise. The affected product is widely used in telephony and fax infrastructure, making it a valuable target for attackers aiming to disrupt communications or gain footholds in enterprise environments.

The impact on European organizations is significant, particularly for those relying on AudioCodes Fax/IVR appliances in telecommunications, government, healthcare, and critical infrastructure sectors. Exploitation allows attackers to execute arbitrary commands as SYSTEM, leading to full device compromise, data theft, service disruption, or pivoting into internal networks. Confidentiality is at high risk due to potential access to sensitive communications and license data. Integrity and availability can be severely affected by malicious modifications or denial of service. Given the appliance’s role in telephony and fax services, exploitation could disrupt critical communication channels. The requirement for authentication limits exposure but does not eliminate risk, as insider threats or compromised credentials could enable attacks. The lack of public exploits currently provides a window for mitigation, but the high severity score and ease of exploitation warrant urgent attention.

1. Immediately restrict access to the license upload interface to trusted administrators only, using network segmentation and strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor and audit all license upload activities and system logs for suspicious filename patterns or command execution anomalies. 3. Implement strict input validation and sanitization on the filename extension field if possible via configuration or custom scripting to block shell metacharacters. 4. Disable or isolate the license activation functionality temporarily if feasible until a vendor patch is available. 5. Coordinate with AudioCodes for timely patch deployment once released; maintain close vendor communication for updates. 6. Employ endpoint detection and response (EDR) tools to detect unusual process executions or privilege escalations on affected appliances. 7. Conduct regular credential audits and enforce least privilege principles to reduce the risk of credential compromise enabling exploitation. 8. Consider network-level protections such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) with custom rules targeting suspicious upload requests.