Cyber Resilience

CVE-2025-34328

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 67.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34328 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Audiocodes Fax Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-34328 is an unauthenticated arbitrary file write vulnerability in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions up to and including 2.6.23. The issue exists in the F2MAdmin web administration component, which exposes a script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\SYSTEM on Windows deployments.

A remote, unauthenticated attacker can exploit this endpoint to write arbitrary files into the product's web-accessible directory structure and subsequently execute them, resulting in remote code execution with SYSTEM-level privileges. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Advisories from Pierre Kim and VulnCheck provide technical details on the vulnerability, including proof-of-concept exploitation. AudioCodes has issued a product notice announcing end-of-service for the Auto-Attendant IVR solution.

EU & UK References

Vulnerability details

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under…

more

the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product’s web-accessible directory structure and subsequently execute them.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated arbitrary file write in a public-facing web administration component, enabling remote code execution, which directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34329Same product: Audiocodes Fax Server
CVE-2025-34335Same product: Audiocodes Fax Server
CVE-2025-34334Same product: Audiocodes Fax Server
CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434

Affected Assets

audiocodes
fax server
≤ 2.6.23
audiocodes
interactive voice response
≤ 2.6.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access controls to block unauthenticated remote access to the vulnerable script-management endpoint at ajaxScript.php.

prevent

Requires validation of attacker-supplied data before writing to server-side files, directly addressing the unrestricted arbitrary file write vulnerability.

prevent

Restricts web service account privileges below NT AUTHORITY\SYSTEM to limit impact of arbitrary file writes and subsequent code execution.

References