CVE-2025-34335: AudioCodes Fax Server RCE Vulnerability

CVE-2025-34335 Overview

CVE-2025-34335 is an authenticated command injection vulnerability affecting AudioCodes Fax Server and Auto-Attendant IVR appliances through version 2.6.23. The flaw resides in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. An authenticated user with access to the license upload interface can supply a crafted filename whose extension injects shell metacharacters into a command line passed to exec(). Successful exploitation executes arbitrary commands as NT AUTHORITY\SYSTEM on the underlying Windows host. AudioCodes has issued an end-of-service notice for the Auto-Attendant IVR solution rather than a security patch.

Critical Impact

Authenticated attackers can achieve arbitrary command execution as NT AUTHORITY\SYSTEM, leading to full appliance compromise of fax and IVR infrastructure.

Affected Products

• AudioCodes Fax Server versions up to and including 2.6.23
• AudioCodes Auto-Attendant Interactive Voice Response (IVR) versions up to and including 2.6.23
• The vulnerable component is AudioCodes_files/ActivateLicense.php invoking fax_server_lic_cmdline.exe

Discovery Timeline

• 2025-11-19 - CVE-2025-34335 published to the National Vulnerability Database (NVD)
• 2025-11-20 - Pierre Kim publishes public security advisory documenting eight vulnerabilities in AudioCodes Fax and IVR appliances
• 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2025-34335

Vulnerability Analysis

The vulnerability is classified as OS Command Injection [CWE-78]. The license activation handler ActivateLicense.php accepts a license file upload and derives a new filename by concatenating a generated base name with the extension portion of the attacker-controlled upload filename. That composite path is then embedded into a command string used to invoke fax_server_lic_cmdline.exe. The application passes the resulting string to exec() without input validation, character escaping, or argument quotation. Because the appliance runs the web stack with SYSTEM privileges, injected commands execute with the highest local privilege level on Windows. Network reachability of the license upload interface makes the issue remotely exploitable for any user holding valid credentials.

Root Cause

The root cause is unsafe string concatenation of user-controlled input into a shell command. The extension component of the uploaded filename flows directly from the HTTP request into the command line built for fax_server_lic_cmdline.exe. No allow-list of permitted characters, no escaping of shell metacharacters, and no use of parameterized process invocation is applied before the exec() call.

Attack Vector

An attacker authenticates to the management interface and submits a license upload with a filename whose extension contains shell metacharacters such as backticks, semicolons, ampersands, or pipe characters. The malicious tokens are interpolated into the command string and interpreted by the shell at the time of execution. The injected payload runs as NT AUTHORITY\SYSTEM, granting full control over the appliance, including credential extraction, lateral movement, fax traffic interception, and persistent backdoor installation. Detailed exploitation mechanics are documented in the Pierre Kim Security Advisory and the VulnCheck Advisory on Command Injection.

Detection Methods for CVE-2025-34335

Indicators of Compromise

• HTTP POST requests to AudioCodes_files/ActivateLicense.php containing multipart filenames with shell metacharacters such as ;, &, |, backticks, or $() in the extension portion.
• Child processes of the web server or fax_server_lic_cmdline.exe spawning cmd.exe, powershell.exe, certutil.exe, or other living-off-the-land binaries.
• Outbound network connections from the appliance to unexpected hosts shortly after a license upload event.

Detection Strategies

• Inspect web server access logs for license upload requests containing non-alphanumeric characters within the filename extension.
• Hunt for anomalous process lineage where fax_server_lic_cmdline.exe or the PHP CGI process is the parent of an interactive shell.
• Correlate authentication events on the management interface with subsequent process creation events that include suspicious command-line arguments.

Monitoring Recommendations

• Forward Windows process creation events (Event ID 4688) and PowerShell logs from the appliance to a centralized analytics platform.
• Alert on any SYSTEM-context shell execution originating from web application processes on fax and IVR hosts.
• Monitor the management interface for brute-force activity and unexpected administrative logins that could precede exploitation.

How to Mitigate CVE-2025-34335

Immediate Actions Required

• Restrict network access to the appliance management interface to a small set of trusted administrative addresses using firewall or ACL rules.
• Rotate credentials for all accounts authorized to access the license upload workflow and enforce strong, unique passwords.
• Audit recent license upload activity and process creation history on affected appliances for indicators listed above.
• Plan migration away from the AudioCodes Auto-Attendant IVR solution in line with the vendor end-of-service notice.

Patch Information

AudioCodes has not released a security patch for CVE-2025-34335. The vendor published an AudioCodes Product End of Service Notice for the Auto-Attendant IVR solution, signaling that affected customers should plan replacement or decommissioning rather than expect a fix. Operators running the Fax Server should consult AudioCodes support for product-specific guidance.

Workarounds

• Place the appliance behind a reverse proxy or VPN that enforces multi-factor authentication before any request reaches ActivateLicense.php.
• Disable or block external access to the license activation endpoint at the web server or network layer when license operations are not actively required.
• Segment fax and IVR appliances onto an isolated VLAN with strict egress filtering to limit post-exploitation impact.
• Decommission end-of-service appliances and migrate workloads to a supported telephony platform.

# Example firewall rule restricting management access to a jump host
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.5 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP