CVE-2025-34335 is an authenticated OS command injection vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. The flaw exists in the license activation process, specifically in the AudioCodes_files/ActivateLicense.php script. When a license file is uploaded, the system generates a new filename by concatenating a base name with the extension extracted from the uploaded file's original name. However, the extension portion is attacker-controlled and incorporated into a command line executed by fax_server_lic_cmdline.exe without any input validation, escaping, or proper argument quoting. This allows an authenticated attacker to inject shell metacharacters into the filename extension, causing arbitrary commands to be executed with NT AUTHORITY\SYSTEM privileges on the underlying Windows system. The vulnerability requires only low privileges (authenticated user) and no user interaction beyond the upload. The CVSS 4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no privileges required beyond authentication. Although no known exploits are currently reported in the wild, the vulnerability's nature and privilege escalation potential make it a critical risk. The affected product is widely used in telephony and fax infrastructure, which are often integral to enterprise communications and operations. The lack of input sanitization in a critical workflow highlights a severe design flaw that can lead to full system compromise.

For European organizations, exploitation of this vulnerability could lead to complete system compromise of AudioCodes Fax/IVR appliances, which are often deployed in critical telephony and communication infrastructures. Attackers gaining NT AUTHORITY\SYSTEM privileges can execute arbitrary commands, potentially leading to data exfiltration, disruption of fax and IVR services, lateral movement within networks, and persistent backdoors. Given the role of these appliances in enterprise communications, successful exploitation could disrupt business operations, cause data breaches, and impact regulatory compliance, especially under GDPR. The high privilege level and network accessibility of the vulnerable component increase the risk of widespread damage. Organizations relying on these appliances for customer interaction or internal communications may face operational downtime and reputational damage. Additionally, attackers could leverage compromised appliances as footholds for further attacks on corporate networks or critical infrastructure, amplifying the threat to European entities.

1. Immediately restrict access to the license upload interface to trusted administrators only, using network segmentation, VPNs, or IP whitelisting. 2. Monitor and log all license file uploads and related command executions for suspicious activity or anomalous filenames. 3. Implement strict input validation and sanitization on filename extensions in the license activation workflow to prevent injection of shell metacharacters. 4. Apply vendor patches or updates as soon as they become available; maintain close contact with AudioCodes for security advisories. 5. Consider deploying application-layer firewalls or endpoint detection solutions that can detect and block command injection attempts targeting the fax_server_lic_cmdline.exe process. 6. Conduct regular security audits and penetration tests focusing on telephony and fax infrastructure components. 7. Educate administrators on the risks of uploading untrusted files and enforce strong authentication and authorization controls on management interfaces. 8. If patching is delayed, consider isolating the vulnerable appliances from broader networks to limit potential attack vectors.