CVE-2025-34331
📋 TL;DR
AudioCodes Fax Server and Auto-Attendant IVR appliances contain an unauthenticated file read vulnerability in the download.php script. Attackers can remotely access sensitive files without authentication, potentially exposing backup archives containing database information and credential hashes. Organizations using affected AudioCodes appliances up to version 2.6.23 are vulnerable.
💻 Affected Systems
- AudioCodes Fax Server
- AudioCodes Auto-Attendant IVR
📦 What is this software?
Fax Server by Audiocodes
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of administrative credentials leading to full system takeover, exposure of all configuration data, and potential lateral movement to connected systems.
Likely Case
Disclosure of administrative password hashes and sensitive configuration files, enabling credential cracking and subsequent authenticated access to the appliance.
If Mitigated
Limited exposure of non-sensitive files due to application extension filtering, but backup archives remain accessible.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with crafted parameters. Public proof-of-concept details are available in the referenced advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Restart Required: No
Instructions:
No official patch is available as AudioCodes has announced end-of-service for these products. The only official remediation is to decommission affected systems.
🔧 Temporary Workarounds
Block download.php access
allUse web server configuration or network controls to block access to the vulnerable download.php endpoint
# Apache: RewriteRule ^/download\.php$ - [F]
# Nginx: location = /download.php { deny all; }
# iptables: iptables -A INPUT -p tcp --dport 80 -m string --string "download.php" --algo bm -j DROP
Network segmentation
linuxIsolate affected appliances from untrusted networks and limit access to authorized administrative IPs only
# Example firewall rules to restrict access
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Immediately remove affected appliances from internet-facing networks
- Implement strict network access controls to limit appliance access to authorized administrative IPs only
🔍 How to Verify
Check if Vulnerable:
Test if http://[appliance-ip]/download.php?file=../../etc/passwd returns system files. Use curl: curl -v 'http://target/download.php?file=../../etc/passwd'Check Version:
Check web interface or appliance documentation for version information. No specific command provided by vendor.Verify Fix Applied:
Verify that download.php requests return access denied errors or are blocked. Test with the same curl command used for vulnerability checking.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to download.php with path traversal patterns (../)
- Multiple failed or successful file access attempts from single sources
- Access to backup or sensitive file extensions via download.php
Network Indicators:
- Unusual spikes in traffic to download.php endpoint
- HTTP requests containing path traversal sequences from external IPs
SIEM Query:
source="web_logs" AND uri="/download.php" AND (query="*../*" OR query="*..\\*" OR query="*backup*" OR query="*.tar*" OR query="*.zip*")🔗 References
- https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-read-via-download
