CVE-2025-34334
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands with SYSTEM privileges on AudioCodes Fax Server and Auto-Attendant IVR appliances. Attackers can exploit the fax test functionality to inject shell commands that run with highest system permissions. Organizations using affected AudioCodes appliances up to version 2.6.23 are at risk.
💻 Affected Systems
- AudioCodes Fax Server
- AudioCodes Auto-Attendant IVR
📦 What is this software?
Fax Server by Audiocodes
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent backdoors, steal sensitive data, disable security controls, and pivot to other network systems.
Likely Case
Authenticated attackers gaining full control of the appliance, potentially accessing fax communications, modifying IVR configurations, and using the system as a foothold for lateral movement.
If Mitigated
Limited impact if strong network segmentation, strict access controls, and monitoring are in place, though the vulnerability still provides SYSTEM-level access if exploited.
🎯 Exploit Status
Detailed technical analysis and exploitation details are publicly available in security advisories. Requires authenticated access but exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Restart Required: No
Instructions:
No official patch available. AudioCodes has announced end-of-service for these products. Consider migrating to supported solutions or implementing workarounds.
🔧 Temporary Workarounds
Disable Fax Test Functionality
windowsRemove or restrict access to the vulnerable TestFax.php interface
Move or rename AudioCodes_files/TestFax.php to disable the vulnerable endpoint
Restrict File Permissions
windowsSecure the temporary run directory to prevent local privilege escalation
icacls "C:\path\to\temp\run\directory" /inheritance:r /grant "NT AUTHORITY\SYSTEM":F /grant "Administrators":F
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected appliances from critical systems
- Enforce strong authentication controls and limit access to administrative interfaces to only necessary personnel
🔍 How to Verify
Check if Vulnerable:
Check appliance version via web interface or command line. If version is 2.6.23 or earlier, the system is vulnerable.Check Version:
Check web interface admin panel or examine installed software in Windows Control PanelVerify Fix Applied:
Verify TestFax.php is no longer accessible and temporary directory permissions are restricted📡 Detection & Monitoring
Log Indicators:
- Unusual fax test activity
- Batch file execution in temporary directories
- Commands with unusual parameters in faxsender processes
Network Indicators:
- HTTP requests to TestFax.php with suspicious parameters
- Outbound connections from appliance to unexpected destinations
SIEM Query:
source="audiocodes_appliance" AND (uri="*TestFax.php*" OR process="faxsender" AND cmd="*&*" OR cmd="*|*")🔗 References
- https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-testfax-and-lpe
