CVE-2025-34329

CVE-2025-34329 is an unauthenticated arbitrary file upload vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions up to and including 2.6.23. The issue exists in the F2MAdmin web interface, which exposes the endpoint AudioCodes_files/ajaxBackupUploadFile.php. This script derives a backup folder path from application configuration, creates the directory if needed, and moves an attacker-supplied file to that location using a fully attacker-controlled filename, with no authentication, authorization, or file-type validation. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this endpoint to upload arbitrary files to the backup directory. On default Windows deployments, where the backup path resolves to the system drive, an attacker can upload web server or interpreter configuration files that coerce log files or other server-controlled resources to be interpreted as executable code. Follow-up HTTP requests to the affected appliance then trigger arbitrary command execution with the privileges of the web server account, which operates as NT AUTHORITY\SYSTEM.

Advisories published by Pierre Kim and Vulncheck provide technical details on the vulnerability, including proof-of-concept exploitation steps. AudioCodes has released a product notice announcing end-of-service for the Auto-Attendant IVR solution, with no patches referenced for the affected versions. Security practitioners should isolate exposed instances, restrict network access to the F2MAdmin interface, and consider migrating to supported products.