Key Information Vulnerability Title: AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Upload RCE via ajaxScript.php Severity: CRITICAL Release Date: September 19, 2025 Affected Versions: AudioCodes Fax/IVR Appliance <= 2.6.23 Product Status: Announced "End-of-Service" on 2024-12-31 CVE ID: CVE-2025-34328 CWE ID: CWE-434 Unrestricted Upload of File with Dangerous Type CVSS Score: 9.3 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N References: - AudioCodes EoS/EoL Product Notice - Researcher Blog - Researcher Advisory Contributor: Pierre Barre Vulnerability Description: AudioCodes Fax Server and Auto-Attendant IVR appliances running version 2.6.23 or earlier contain a web management component (F2MAdmin) that exposes an unauthenticated script management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript operation directly writes attacker-supplied data to a server-side file path located within the product's web-accessible directory structure, which is under the permissions of the web service account. In Windows deployments, this account runs as NT AUTHORITY\SYSTEM. Remote, unauthenticated attackers can upload arbitrary files to the product's web-accessible directory structure and subsequently execute them.