CVE-2025-34329
📋 TL;DR
AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23 expose an unauthenticated backup upload endpoint that allows remote attackers to upload arbitrary files with attacker-controlled filenames. This leads to remote code execution as NT AUTHORITY\SYSTEM on default Windows deployments. All organizations using affected versions with the F2MAdmin web interface exposed are vulnerable.
💻 Affected Systems
- AudioCodes Fax Server
- AudioCodes Auto-Attendant IVR
📦 What is this software?
Fax Server by Audiocodes
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent backdoors, exfiltrate sensitive data, disable security controls, and pivot to other network systems.
Likely Case
Attackers gain initial foothold via web shell, then escalate to full SYSTEM control to deploy ransomware, steal credentials, or use the appliance as a pivot point for lateral movement.
If Mitigated
If properly segmented and access-controlled, impact limited to the appliance itself, though SYSTEM access still allows complete control of that system.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to the vulnerable endpoint with crafted filenames. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Restart Required: No
Instructions:
No official patch available. Vendor has announced end-of-service. Immediate mitigation required via workarounds or system replacement.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
allConfigure web server or firewall to block all access to /AudioCodes_files/ajaxBackupUploadFile.php
# For IIS: Add URL rewrite rule to block the path
# For Apache: <Location "/AudioCodes_files/ajaxBackupUploadFile.php">
Order deny,allow
Deny from all
</Location>
# For Nginx: location ~ ^/AudioCodes_files/ajaxBackupUploadFile\.php$ { return 403; }
Disable F2MAdmin Web Interface
windowsRemove or disable the F2MAdmin web interface entirely if not required
# Windows: Stop IIS site or application pool hosting F2MAdmin
# Remove or rename the F2MAdmin directory
🧯 If You Can't Patch
- Immediately isolate affected appliances from internet and restrict network access to only required internal systems
- Implement strict network segmentation and monitor all traffic to/from affected appliances for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if file exists: C:\inetpub\wwwroot\AudioCodes_files\ajaxBackupUploadFile.php and test with curl: curl -X POST http://<appliance>/AudioCodes_files/ajaxBackupUploadFile.php -F 'file=@test.txt' -F 'filename=test.php'Check Version:
Check web interface footer or configuration files for version information, typically displays in F2MAdmin login pageVerify Fix Applied:
Verify the endpoint returns 403/404 or that the file no longer exists. Test upload attempts fail.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /AudioCodes_files/ajaxBackupUploadFile.php
- File creation in backup directories with unusual extensions (.php, .asp, .aspx)
- IIS logs showing successful uploads (HTTP 200) to the vulnerable endpoint
Network Indicators:
- Unusual outbound connections from appliance to external IPs
- HTTP requests with file upload patterns to the vulnerable endpoint
- Traffic spikes to/from the appliance
SIEM Query:
source="IIS" AND (url="*ajaxBackupUploadFile.php*" OR status=200 AND url="*/AudioCodes_files/*")🔗 References
- https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile
