CVE-2025-34331
HIGHAudioCodes Fax Server and Auto-Attendant IVR <= 2.6.23 - Unauthenticated Arbitrary File Read via download.php
Title source: llmDescription
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data.
References (4)
Core 4
Core References
Product vendor-advisory
patch
mitigation
https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf
Exploit, Third Party Advisory technical-description
exploit
https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html
Exploit, Third Party Advisory technical-description
exploit
https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-read-via-download
Scores
CVSS v3
7.5
EPSS
0.0044
EPSS Percentile
35.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (2)
audiocodes/fax_server
< 2.6.23
audiocodes/interactive_voice_response
< 2.6.23
Published
Nov 19, 2025
Tracked Since
Feb 18, 2026