CVE-2025-34330
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to upload files to AudioCodes Fax Server and Auto-Attendant IVR appliances via an unprotected web endpoint. Attackers can tamper with IVR audio content or prepare files for further attacks. Organizations using affected AudioCodes appliances with web administration exposed are at risk.
💻 Affected Systems
- AudioCodes Fax Server
- AudioCodes Auto-Attendant IVR
📦 What is this software?
Fax Server by Audiocodes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files that enable remote code execution or compromise the IVR system, potentially leading to complete system takeover or service disruption.
Likely Case
Attackers tamper with IVR audio prompts or music-on-hold files, causing service disruption, brand damage, or preparing for phishing/social engineering attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to tampering with audio files in the temporary directory.
🎯 Exploit Status
Simple HTTP POST request to the vulnerable endpoint with file upload. Public exploit details available in referenced advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Restart Required: No
Instructions:
No official patch available. AudioCodes has announced end-of-service for affected products. Consider migration to supported solutions.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
allUse web application firewall or network firewall to block access to /AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php
Disable Web Administration Interface
windowsDisable or restrict access to the F2MAdmin web interface if not required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected appliances from untrusted networks
- Deploy web application firewall with file upload restrictions and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if the endpoint http://[appliance-ip]/AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php is accessible and accepts file uploads without authenticationCheck Version:
Check appliance web interface or documentation for version informationVerify Fix Applied:
Verify the endpoint is no longer accessible or requires authentication, and file uploads are blocked📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php
- File creation in C:\F2MAdmin\tmp directory
Network Indicators:
- HTTP traffic to the vulnerable endpoint with file upload content
- Unusual file upload patterns to the appliance
SIEM Query:
source="web_logs" AND uri="/AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php" AND method="POST"🔗 References
- https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-prompt-file-upload-via-ajaxpromptuploadfile
