CVE-2025-34335
📋 TL;DR
This CVE describes an authenticated command injection vulnerability in AudioCodes Fax Server and Auto-Attendant IVR appliances. An authenticated user can upload a specially crafted license file with malicious shell metacharacters in the filename extension, leading to arbitrary command execution as NT AUTHORITY\SYSTEM. Organizations using affected AudioCodes appliances up to version 2.6.23 are vulnerable.
💻 Affected Systems
- AudioCodes Fax Server
- AudioCodes Auto-Attendant IVR appliances
📦 What is this software?
Fax Server by Audiocodes
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to other network systems, or deploy ransomware.
Likely Case
Attackers with authenticated access (compromised credentials or insider threat) gain SYSTEM privileges to execute commands, potentially installing malware or establishing persistence.
If Mitigated
With proper network segmentation and access controls, impact is limited to the appliance itself, though SYSTEM access still allows significant damage to that system.
🎯 Exploit Status
Exploit details are publicly documented with specific payload examples. Requires authenticated access but the injection mechanism is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Restart Required: No
Instructions:
No official patch is available. AudioCodes has announced end-of-service for these products. The only official remediation is to decommission affected appliances and migrate to supported solutions.
🔧 Temporary Workarounds
Remove or Restrict Access to ActivateLicense.php
windowsDelete or rename the vulnerable PHP file to prevent exploitation via the license upload interface.
rename C:\path\to\AudioCodes_files\ActivateLicense.php C:\path\to\AudioCodes_files\ActivateLicense.php.disabled
Implement Web Application Firewall (WAF) Rules
allDeploy WAF rules to block requests containing shell metacharacters in filename parameters.
🧯 If You Can't Patch
- Immediately restrict network access to the appliance's web interface using firewall rules to only allow necessary administrative IPs.
- Implement strict access controls and monitoring for authenticated users, including multi-factor authentication and regular credential rotation.
🔍 How to Verify
Check if Vulnerable:
Check the appliance version via web interface or system information. If version is 2.6.23 or earlier and the ActivateLicense.php file exists in AudioCodes_files directory, the system is vulnerable.Check Version:
Check via web interface at /system_info or examine appliance documentation. No single CLI command provided by vendor.Verify Fix Applied:
Verify that ActivateLicense.php has been removed/renamed or that the appliance has been decommissioned. Test license upload functionality to confirm it's no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Unusual license upload attempts with suspicious filenames containing characters like ;, &, |, or $
- Commands executed from fax_server_lic_cmdline.exe with unexpected parameters
- Web server logs showing POST requests to ActivateLicense.php with anomalous filenames
Network Indicators:
- Unusual outbound connections from the appliance following license upload activities
- Traffic patterns suggesting command-and-control communication
SIEM Query:
source="web_server" AND uri="/AudioCodes_files/ActivateLicense.php" AND (filename="*;*" OR filename="*&*" OR filename="*|*" OR filename="*$*")🔗 References
- https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-activatelicense
