CVE-2025-34328
Published: 19 November 2025
Summary
CVE-2025-34328 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Audiocodes Fax Server. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-34328 is an unauthenticated arbitrary file write vulnerability in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions up to and including 2.6.23. The issue exists in the F2MAdmin web administration component, which exposes a script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\SYSTEM on Windows deployments.
A remote, unauthenticated attacker can exploit this endpoint to write arbitrary files into the product's web-accessible directory structure and subsequently execute them, resulting in remote code execution with SYSTEM-level privileges. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories from Pierre Kim and VulnCheck provide technical details on the vulnerability, including proof-of-concept exploitation. AudioCodes has issued a product notice announcing end-of-service for the Auto-Attendant IVR solution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198196
Vulnerability details
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under…
more
the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product’s web-accessible directory structure and subsequently execute them.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file write in a public-facing web administration component, enabling remote code execution, which directly maps to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access controls to block unauthenticated remote access to the vulnerable script-management endpoint at ajaxScript.php.
Requires validation of attacker-supplied data before writing to server-side files, directly addressing the unrestricted arbitrary file write vulnerability.
Restricts web service account privileges below NT AUTHORITY\SYSTEM to limit impact of arbitrary file writes and subsequent code execution.