### Key Information - **Vulnerability Title**: AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Upload RCE via ajaxScript.php - **Severity**: CRITICAL - **Release Date**: September 19, 2025 - **Affected Versions**: AudioCodes Fax/IVR Appliance <= 2.6.23 - **Product Status**: Announced "End-of-Service" on 2024-12-31 - **CVE ID**: CVE-2025-34328 - **CWE ID**: CWE-434 Unrestricted Upload of File with Dangerous Type - **CVSS Score**: 9.3 - **CVSS V4 Vector**: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - **References**: - AudioCodes EoS/EoL Product Notice - Researcher Blog - Researcher Advisory - **Contributor**: Pierre Barre - **Vulnerability Description**: AudioCodes Fax Server and Auto-Attendant IVR appliances running version 2.6.23 or earlier contain a web management component (F2MAdmin) that exposes an unauthenticated script management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript operation directly writes attacker-supplied data to a server-side file path located within the product's web-accessible directory structure, which is under the permissions of the web service account. In Windows deployments, this account runs as NT AUTHORITY\SYSTEM. Remote, unauthenticated attackers can upload arbitrary files to the product's web-accessible directory structure and subsequently execute them.