CVE-2025-34333

HIGH

Audiocodes Fax Server < 2.6.23 - Incorrect Default Permissions

Title source: rule

Description

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Authenticated local users have modify rights on this directory, while the associated web server process runs as NT AUTHORITY\\SYSTEM. As a result, any local user can create or alter server-side scripts within the webroot and then trigger them via HTTP requests, causing arbitrary code to execute with SYSTEM privileges.

References (4)

[Product] https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf

[Exploit, Third Party Advisory] https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html

[Exploit, Third Party Advisory] https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt

[Third Party Advisory] https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-world-writable-webroot-lpe

Scores

CVSS v3 7.8

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-276

Status published

Products (2)

audiocodes/fax_server < 2.6.23

audiocodes/interactive_voice_response < 2.6.23

Published Nov 19, 2025

Tracked Since Feb 18, 2026