CVE-2025-34334
Published: 19 November 2025
Description
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by AudioCodes_files/TestFax.php. When a fax "send" test is requested, the application builds a faxsender…
more
command line using attacker-supplied parameters and passes it to GlobalUtils::RunBatchFile without proper validation or shell-argument sanitization. The resulting batch file is written into a temporary run directory and then executed via a backend service that runs as NT AUTHORITY\\SYSTEM. An authenticated attacker with access to the fax test interface can craft parameter values that inject additional shell commands into the generated batch file, leading to arbitrary command execution with SYSTEM privileges. In addition, because the generated batch files reside in a location with overly permissive file system permissions, a local low-privilege user on the server can modify pending batch files to achieve the same elevation.
Mitigating Controls (NIST 800-53 r5)AI
Validates attacker-supplied parameters in the fax test functionality to prevent command injection into the generated batch file.
Enforces least privilege on the backend service to prevent arbitrary command execution with NT AUTHORITY\SYSTEM privileges even if injection occurs.
Establishes secure configuration settings for the temporary run directory to restrict overly permissive file system permissions and block low-privilege user modifications.
Security SummaryAI
CVE-2025-34334 is an authenticated command injection vulnerability (CWE-78) with a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting AudioCodes Fax Server and Auto-Attendant IVR appliances in versions up to and including 2.6.23. The flaw exists in the fax test functionality implemented by AudioCodes_files/TestFax.php, where the application builds a faxsender command line using attacker-supplied parameters and passes it to GlobalUtils::RunBatchFile without proper validation or shell-argument sanitization. The resulting batch file is written to a temporary run directory and executed via a backend service running as NT AUTHORITY\SYSTEM.
An authenticated attacker with access to the fax test interface can exploit this by crafting parameter values that inject additional shell commands into the generated batch file, enabling arbitrary command execution with SYSTEM privileges. Furthermore, the temporary run directory has overly permissive file system permissions, allowing a local low-privilege user on the server to modify pending batch files and achieve the same privilege escalation to SYSTEM.
Advisories from Pierre Kim and VulnCheck detail the vulnerability and its exploitation mechanics, while AudioCodes has published a product notice announcing end-of-service for the Auto-Attendant IVR solution. No patches are referenced for affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in web interface enables Windows Command Shell execution (T1059.003) and remote exploitation (T1190, T1210) leading to SYSTEM privilege escalation (T1068); permissive temp directory facilitates file system permissions abuse (T1044).