CVE-2025-34329

Name of the Vulnerable Software and Affected Versions AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23

Description The software contains an unauthenticated backup upload endpoint located at /AudioCodes files/ajaxBackupUploadFile.php within the F2MAdmin web interface. The script determines a backup folder path from the application configuration, creates the directory if it doesn't exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files. This can cause a log file or other server-controlled resource to be treated as executable code, allowing subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITYSYSTEM.

Recommendations Versions prior to 2.6.23 should be updated.