CVE-2025-34333 – This vulnerability allows any authenticated loc... (How to Fix)

Q: What is the severity of CVE-2025-34333?

CVE-2025-34333 has a CVSS score of 7.8 (HIGH). This vulnerability allows any authenticated local user on AudioCodes Fax Server and Auto-Attendant IVR appliances to achieve privilege escalation to SYSTEM level. By exploiting overly permissive file permissions on the webroot directory, attackers can upload or modify server-side scripts and execute them via HTTP requests. Organizations running affected versions of these appliances are at risk.

📋 TL;DR

This vulnerability allows any authenticated local user on AudioCodes Fax Server and Auto-Attendant IVR appliances to achieve privilege escalation to SYSTEM level. By exploiting overly permissive file permissions on the webroot directory, attackers can upload or modify server-side scripts and execute them via HTTP requests. Organizations running affected versions of these appliances are at risk.

💻 Affected Systems

Products:

AudioCodes Fax Server
AudioCodes Auto-Attendant IVR

Versions: Up to and including 2.6.23

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects appliances with the default installation path C:\F2MAdmin\F2E. Requires local user authentication but not administrative privileges.

📦 What is this software?

Fax Server by Audiocodes

View all CVEs affecting Fax Server →

Interactive Voice Response by Audiocodes

View all CVEs affecting Interactive Voice Response →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install persistent backdoors, steal sensitive data, disable security controls, and pivot to other network systems.

🟠

Likely Case

Privilege escalation from standard user accounts to SYSTEM, enabling installation of malware, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and file integrity monitoring are implemented.

🌐 Internet-Facing: MEDIUM - While exploitation requires local authentication, internet-facing appliances increase attack surface and could be combined with other vulnerabilities.

🏢 Internal Only: HIGH - Any authenticated local user can exploit this, making internal threats particularly dangerous in multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward once local access is obtained. Public technical details and proof-of-concept information are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf

Restart Required: No

Instructions:

No official patch is available as AudioCodes has announced end-of-service for these products. Consider the workarounds and mitigation steps below.

🔧 Temporary Workarounds

Restrict webroot directory permissions

windows

Modify NTFS permissions on C:\F2MAdmin\F2E to remove write access for non-administrative users while maintaining read/execute for the web server process.

icacls "C:\F2MAdmin\F2E" /inheritance:r
icacls "C:\F2MAdmin\F2E" /grant "NT AUTHORITY\SYSTEM":(OI)(CI)F
icacls "C:\F2MAdmin\F2E" /grant "Builtin\Administrators":(OI)(CI)F
icacls "C:\F2MAdmin\F2E" /grant "IIS_IUSRS":(OI)(CI)RX

Implement file integrity monitoring

all

Deploy monitoring to detect unauthorized changes to files in the webroot directory.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected appliances from critical systems
Enforce least privilege access controls and regularly audit local user accounts

🔍 How to Verify

Check if Vulnerable:

Check if C:\F2MAdmin\F2E directory exists and verify permissions using: icacls "C:\F2MAdmin\F2E"

Check Version:

Check appliance web interface or documentation for version information

Verify Fix Applied:

Verify that non-administrative users cannot write to the directory: icacls "C:\F2MAdmin\F2E" | findstr "(W)"

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation/modification in C:\F2MAdmin\F2E
Unusual process execution with SYSTEM privileges from web server context
Failed permission change attempts on webroot directory

Network Indicators:

Unusual HTTP requests to previously non-existent script files
Suspicious outbound connections originating from the appliance

SIEM Query:

EventID=4663 AND ObjectName LIKE '%C:\F2MAdmin\F2E%' AND Accesses LIKE '%Write%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')

📊 Metadata

CVE ID: CVE-2025-34333

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: November 19, 2025

Last Updated: December 11, 2025

🔗 References

https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html Exploit,Third Party Advisory
https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf Product
https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-world-writable-webroot-lpe Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34333, you might also want to check these: