CVE-2025-34331

AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated File Read via download.php

CVSS 8.7 HIGHEPSS 0.5%CWE-306

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

19 Nov 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Affected products

AudioCodes Limited · AudioCodes Fax/IVR Appliance

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-read-via-download