Authenticated Command Injection in AudioCodes Fax Server and Auto-Attendant IVR Appliances
CVE-2025-34335
Key Information:
- Vendor
Audiocodes Limited
- Vendor
- CVE Published:
- 19 November 2025
Badges
What is CVE-2025-34335?
The AudioCodes Fax Server and Auto-Attendant IVR appliances, up to version 2.6.23, are susceptible to an authenticated command injection vulnerability. This issue arises during the license activation workflow when a license file is uploaded. The application improperly handles the uploaded filename by appending a generated base name to the user-controlled extension, which leads to insecure command line adjustments. Specifically, maliciously crafted extensions can be executed due to lack of input validation and escaping, enabling an attacker with authenticated access to execute arbitrary commands with the privileges of NT AUTHORITY\SYSTEM.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
AudioCodes Fax/IVR Appliance 0 <= 2.6.23
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved