CVE-2025-34328
Published: 19 November 2025
Summary
CVE-2025-34328 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Audiocodes Fax Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces access controls to block unauthenticated remote access to the vulnerable script-management endpoint at ajaxScript.php.
Requires validation of attacker-supplied data before writing to server-side files, directly addressing the unrestricted arbitrary file write vulnerability.
Restricts web service account privileges below NT AUTHORITY\SYSTEM to limit impact of arbitrary file writes and subsequent code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file write in a public-facing web administration component, enabling remote code execution, which directly maps to exploitation of public-facing applications.
NVD Description
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under…
more
the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product’s web-accessible directory structure and subsequently execute them.
Deeper analysisAI
CVE-2025-34328 is an unauthenticated arbitrary file write vulnerability in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions up to and including 2.6.23. The issue exists in the F2MAdmin web administration component, which exposes a script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\SYSTEM on Windows deployments.
A remote, unauthenticated attacker can exploit this endpoint to write arbitrary files into the product's web-accessible directory structure and subsequently execute them, resulting in remote code execution with SYSTEM-level privileges. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories from Pierre Kim and VulnCheck provide technical details on the vulnerability, including proof-of-concept exploitation. AudioCodes has issued a product notice announcing end-of-service for the Auto-Attendant IVR solution.
Details
- CWE(s)