CVE-2025-34332 – This vulnerability allows any authenticated loc... (How to Fix)

Q: What is the severity of CVE-2025-34332?

CVE-2025-34332 has a CVSS score of 7.8 (HIGH). This vulnerability allows any authenticated local user on AudioCodes Fax Server and Auto-Attendant IVR appliances to escalate privileges to SYSTEM by replacing writable batch scripts. The scripts are executed with SYSTEM privileges when service operations are performed through the web administration interface. Affected systems are all versions up to and including 2.6.23.

📋 TL;DR

This vulnerability allows any authenticated local user on AudioCodes Fax Server and Auto-Attendant IVR appliances to escalate privileges to SYSTEM by replacing writable batch scripts. The scripts are executed with SYSTEM privileges when service operations are performed through the web administration interface. Affected systems are all versions up to and including 2.6.23.

💻 Affected Systems

Products:

AudioCodes Fax Server
AudioCodes Auto-Attendant IVR appliances

Versions: Versions up to and including 2.6.23

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in default installations where the web administration component is enabled and batch scripts have overly permissive ACLs.

📦 What is this software?

Fax Server by Audiocodes

View all CVEs affecting Fax Server →

Interactive Voice Response by Audiocodes

View all CVEs affecting Interactive Voice Response →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where an authenticated attacker gains SYSTEM privileges, enabling complete control over the Windows system, installation of malware, credential theft, and persistence.

🟠

Likely Case

Local privilege escalation by authenticated users (including low-privileged accounts) to gain SYSTEM-level access for lateral movement or data exfiltration.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and network segmentation isolates vulnerable systems.

🌐 Internet-Facing: LOW - The vulnerability requires local authentication; direct internet exploitation is unlikely unless the web interface is exposed and credentials are compromised.

🏢 Internal Only: HIGH - Any authenticated local user (including compromised accounts) can exploit this to gain SYSTEM privileges on internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authentication but is straightforward: replace batch file contents and trigger service operations. Public details are available in referenced advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf

Restart Required: No

Instructions:

No official patch is available. The vendor has announced end-of-service for affected products. Consider workarounds or migration to supported solutions.

🔧 Temporary Workarounds

Restrict ACLs on batch scripts

windows

Modify file permissions to remove write access for non-administrative users on the vulnerable batch scripts.

icacls "C:\F2MAdmin\F2E\AudioCodes_files\utils\Services\*.bat" /deny "Users":(W)

Disable web administration interface

windows

If not required, disable the web administration component to prevent access to ajaxPost.php.

Stop and disable the web service (e.g., IIS or Apache) hosting the administration interface.

🧯 If You Can't Patch

Isolate affected systems on network segments with strict access controls to limit exposure to authenticated users.
Implement least privilege for local user accounts and monitor for suspicious file modifications in the vulnerable directory.

🔍 How to Verify

Check if Vulnerable:

Check if files in C:\F2MAdmin\F2E\AudioCodes_files\utils\Services\ are writable by non-administrative users using: icacls "C:\F2MAdmin\F2E\AudioCodes_files\utils\Services\*.bat"

Check Version:

Check the appliance version via web interface or configuration files; version should be 2.6.23 or earlier.

Verify Fix Applied:

Verify that non-administrative users cannot write to batch scripts in the Services directory after applying ACL restrictions.

📡 Detection & Monitoring

Log Indicators:

Unusual file modifications in C:\F2MAdmin\F2E\AudioCodes_files\utils\Services\
Process execution of batch scripts from the Services directory by SYSTEM account
Web logs showing requests to ajaxPost.php with service control parameters

Network Indicators:

HTTP requests to the administration interface from unexpected internal IPs

SIEM Query:

EventID=4688 AND (CommandLine LIKE '%C:\F2MAdmin\F2E\AudioCodes_files\utils\Services%' OR NewProcessName LIKE '%.bat') AND SubjectUserName='SYSTEM'

📊 Metadata

CVE ID: CVE-2025-34332

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.03% exploit probability (8.1th percentile)

Published: November 19, 2025

Last Updated: December 11, 2025

🔗 References

https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html Exploit,Third Party Advisory
https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf Product
https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-insecure-service-control-scripts-lpe Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34332, you might also want to check these: