AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold–related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Vendors Products
Audiocodes
  • Fax\/ivr

No data.

No data.

References
Link Providers
https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt cve-icon cve-icon
https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html cve-icon cve-icon
https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf cve-icon cve-icon
https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-prompt-file-upload-via-ajaxpromptuploadfile cve-icon cve-icon
History

Thu, 20 Nov 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Audiocodes
Audiocodes fax\/ivr
CPEs cpe:2.3:h:audiocodes:fax\/ivr:*:*:*:*:*:*:*:*
Vendors & Products Audiocodes
Audiocodes fax\/ivr

Wed, 19 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
Description AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold–related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks.
Title AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated Prompt File Upload via ajaxPromptUploadFile.php
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-11-19T16:22:02.448Z

Updated: 2025-11-20T15:21:16.834Z

Reserved: 2025-04-15T19:15:22.586Z

Link: CVE-2025-34330

cve-icon Vulnrichment

Updated: 2025-11-19T16:47:38.964Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-11-19T17:15:47.777

Modified: 2025-11-19T19:14:59.327

Link: CVE-2025-34330

cve-icon Redhat

No data.