CVE-2025-34335
Description
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. When a license file is uploaded, the application derives a new filename by combining a generated base name with the attacker-controlled extension portion of the original upload name, then constructs a command line for fax_server_lic_cmdline.exe that includes this path. The extension value is incorporated into the command string without input validation, escaping, or proper argument quotation before being passed to exec(). An authenticated user with access to the license upload interface can supply a specially crafted filename whose extension injects additional shell metacharacters, causing arbitrary commands to be executed as NT AUTHORITY\\SYSTEM.
CVSS Details
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Threat Intelligence
Weaknesses 1
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| audiocodes | fax_server | * | ≤2.6.23 |
| audiocodes | interactive_voice_response | * | <2.6.23 |
References 4
- pierrekim.github.io https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
- pierrekim.github.io https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
- audiocodes.com https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
- vulncheck.com https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-activatelicense
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.