CVE-2025-34330
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-19

Last updated on: 2025-12-12

Assigner: VulnCheck

Description
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold–related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-19
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34330
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
audiocodes fax_server to 2.6.23 (inc)
audiocodes interactive_voice_response to 2.6.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in AudioCodes Fax Server and Auto-Attendant IVR appliances up to version 2.6.23. It involves a web administration component called F2MAdmin that has an unauthenticated file upload endpoint. This endpoint allows anyone to upload files without authentication, authorization, or file-type validation, writing them to a specific directory. An attacker can upload or overwrite audio prompt or music-on-hold files, potentially tampering with IVR audio content or using these files to facilitate further attacks.

Impact Analysis

The vulnerability can allow a remote, unauthenticated attacker to upload or overwrite audio files used by the IVR system. This could lead to tampering with the audio content that callers hear, potentially causing misinformation or disruption. Additionally, the attacker might use the uploaded files as a foothold for further attacks against the system or network.

Detection Guidance

Detection can be performed by checking for the presence of the vulnerable script at the path AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php on the AudioCodes Fax Server or Auto-Attendant IVR appliances. Network monitoring for HTTP POST requests to this endpoint without authentication may indicate exploitation attempts. Additionally, inspecting the C:\F2MAdmin\tmp directory for unexpected or recently modified files related to prompts or music-on-hold can help identify exploitation. Specific commands depend on the environment, but for example, on the server, listing files by modification date in the tmp directory can be done with: dir C:\F2MAdmin\tmp /T:W. Network traffic capture tools like Wireshark or tcpdump can be used to monitor HTTP POST requests to the vulnerable URL.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable web administration component, especially the ajaxPromptUploadFile.php endpoint, by implementing network-level controls such as firewall rules or access control lists to limit access to trusted administrators only. If possible, disable or remove the vulnerable script or upgrade the AudioCodes Fax Server and Auto-Attendant IVR appliances to a version later than 2.6.23 where this vulnerability is fixed. Monitoring and auditing the C:\F2MAdmin\tmp directory for unauthorized file uploads and removing any suspicious files is also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart