CVE-2025-34328 – This critical vulnerability allows unauthentica... (How to Fix)

Q: What is the severity of CVE-2025-34328?

CVE-2025-34328 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability allows unauthenticated remote attackers to upload arbitrary files and execute code as SYSTEM on AudioCodes Fax Server and Auto-Attendant IVR appliances. It affects all versions up to 2.6.23 with the vulnerable web administration component exposed. Attackers can achieve full system compromise without any authentication.

📋 TL;DR

This critical vulnerability allows unauthenticated remote attackers to upload arbitrary files and execute code as SYSTEM on AudioCodes Fax Server and Auto-Attendant IVR appliances. It affects all versions up to 2.6.23 with the vulnerable web administration component exposed. Attackers can achieve full system compromise without any authentication.

💻 Affected Systems

Products:

AudioCodes Fax Server
AudioCodes Auto-Attendant IVR

Versions: All versions up to and including 2.6.23

Operating Systems: Windows (NT AUTHORITY\SYSTEM context)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is part of the F2MAdmin web administration component. Windows deployments are most critical due to SYSTEM privileges.

📦 What is this software?

Fax Server by Audiocodes

View all CVEs affecting Fax Server →

Interactive Voice Response by Audiocodes

View all CVEs affecting Interactive Voice Response →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, allowing installation of persistent backdoors, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell deployment, credential harvesting, and ransomware deployment on vulnerable systems.

🟢

If Mitigated

Limited impact if systems are isolated behind firewalls with strict network controls, though the vulnerability remains critical.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication from the internet, leading to immediate compromise.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. The vulnerability requires no authentication and minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf

Restart Required: No

Instructions:

No patch available. AudioCodes has announced end-of-service for these products. Immediate mitigation requires removing affected systems from networks or implementing strict workarounds.

🔧 Temporary Workarounds

Block vulnerable endpoint at network level

linux

Block access to /AudioCodes_files/utils/IVR/diagram/ajaxScript.php at firewall/WAF

iptables -A INPUT -p tcp --dport 80 -m string --string "ajaxScript.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "ajaxScript.php" --algo bm -j DROP

Disable web administration interface

all

Remove or restrict access to the F2MAdmin web interface

# Remove or rename the F2MAdmin directory
mv /path/to/F2MAdmin /path/to/F2MAdmin.disabled

🧯 If You Can't Patch

Immediately isolate affected systems from all networks, including internal networks
Implement strict network segmentation with firewall rules blocking all traffic to/from affected appliances

🔍 How to Verify

Check if Vulnerable:

Check if the endpoint http://[target]/AudioCodes_files/utils/IVR/diagram/ajaxScript.php exists and responds. Version check can confirm if system is in affected range.

Check Version:

Check web interface footer or administration panel for version information. No standard CLI command available.

Verify Fix Applied:

Verify the ajaxScript.php endpoint is no longer accessible or returns 404/403. Confirm version is above 2.6.23 if upgraded (though no patch exists).

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /AudioCodes_files/utils/IVR/diagram/ajaxScript.php
POST requests with saveScript parameter
Unusual file creation in web directories

Network Indicators:

POST requests to ajaxScript.php endpoint
Unusual outbound connections from appliance after exploitation

SIEM Query:

source="web_logs" AND (url="*ajaxScript.php*" OR post_data="*saveScript*")

📊 Metadata

CVE ID: CVE-2025-34328

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.47% exploit probability (64.2th percentile)

Published: November 19, 2025

Last Updated: December 12, 2025

🔗 References

https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html Exploit,Third Party Advisory
https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf Product
https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-upload-rce-via-ajaxscript Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34328, you might also want to check these: