CVE-2025-34335
Published: 19 November 2025
Description
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. When a license file is uploaded, the application derives a new filename by…
more
combining a generated base name with the attacker-controlled extension portion of the original upload name, then constructs a command line for fax_server_lic_cmdline.exe that includes this path. The extension value is incorporated into the command string without input validation, escaping, or proper argument quotation before being passed to exec(). An authenticated user with access to the license upload interface can supply a specially crafted filename whose extension injects additional shell metacharacters, causing arbitrary commands to be executed as NT AUTHORITY\\SYSTEM.
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like filename extensions at upload points to block shell metacharacters from being injected into command strings executed by exec().
SI-2 mandates timely identification, reporting, and correction of flaws such as this command injection vulnerability through patching affected AudioCodes appliances.
SI-4 enables monitoring of system activities to detect indicators of command injection attacks, such as anomalous executions of fax_server_lic_cmdline.exe.
Security SummaryAI
CVE-2025-34335 is an authenticated command injection vulnerability (CWE-78) in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions up to and including 2.6.23. The flaw occurs in the license activation workflow managed by AudioCodes_files/ActivateLicense.php. During license file upload, the application generates a new filename by combining a base name with the attacker-controlled extension from the original filename. This path is then incorporated without input validation, escaping, or proper quotation into a command string passed to exec() for fax_server_lic_cmdline.exe.
An authenticated user with access to the license upload interface can exploit this by supplying a specially crafted filename extension containing shell metacharacters. This injects and executes arbitrary commands as NT AUTHORITY\SYSTEM. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), enabling network-accessible attacks with low complexity and privileges required, resulting in high impacts to confidentiality, integrity, and availability.
Advisories from Pierre Kim and VulnCheck provide technical details on the vulnerability, including proof-of-concept exploitation. AudioCodes has published a product notice regarding end-of-service for the Auto-Attendant IVR solution.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in a network-accessible web interface (license upload) enables exploitation of public-facing application (T1190), Windows command shell execution via shell metacharacters (T1059.003), and privilege escalation from authenticated user to NT AUTHORITY\SYSTEM (T1068).