Key Information Vulnerability Type: Authenticated Command Injection via TestFax.php & LPE Affected Versions: AudioCodes Fax/IVR Appliance <= 2.6.23 Severity: HIGH CVSS Score: 8.7 CVSS V4 Vector: CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') References: - AudioCodes EoSEoL Product Notice - Researcher Blog - Researcher Advisory Discoverer: Pierre Barre Vulnerability Description AudioCodes Fax Server and Auto-Attendant IVR appliances version 2.6.23 and earlier are affected by an authenticated command injection vulnerability, exploitable via the fax test functionality implemented in . When a "send" fax test request is initiated, the application constructs a fax command line using parameters provided by the attacker and passes it to , without proper validation or shell argument sanitization. The generated batch file is written to a temporary execution directory and executed by a backend service running with privileges. An authenticated attacker who can access the fax test interface can craft parameter values to inject additional shell commands into the generated batch file, resulting in arbitrary command execution with SYSTEM privileges. Additionally, because the generated batch file is stored in a location with overly permissive filesystem permissions, local low-privileged users on the server can also achieve privilege escalation by modifying the pending batch file for execution.