CVE-2025-34331 in Fax Server
Summary
by MITRE • 11/19/2025
AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2025
The AudioCodes Fax Server and Auto-Attendant IVR appliances represent critical network infrastructure components that handle sensitive telephony and communication data within enterprise environments. These devices operate as centralized systems managing fax communications, voice mail, and automated attendant services that form integral parts of corporate communication networks. The vulnerability exists within the download.php script that serves as a file retrieval mechanism for legitimate system operations, yet fails to implement proper authentication or authorization controls. This flaw affects all versions up to and including 2.6.23, indicating a widespread issue across multiple firmware releases that have not been adequately addressed through security patches. The device architecture typically includes internal storage systems containing configuration files, database backups, and credential information that would normally be protected from unauthorized access.
The technical exploitation of this vulnerability occurs through a simple parameter manipulation attack where remote unauthenticated users can construct malicious requests to the download.php endpoint. The vulnerability stems from insufficient input validation and access control mechanisms that allow attackers to supply arbitrary path and filename parameters directly to the file download functionality. While the application logic does impose restrictions on file extensions that can be retrieved, these limitations are insufficient to prevent access to sensitive backup files that often contain database dumps, configuration files, and credential hashes. The attack vector leverages the fact that the system does not properly validate whether the requested file path falls within acceptable boundaries or whether the user has legitimate authorization to access the requested resource. This represents a classic case of improper access control where the system assumes all requests are legitimate without proper authentication verification, aligning with CWE-285 which addresses insufficient authorization issues.
The operational impact of successful exploitation extends far beyond simple information disclosure, potentially enabling attackers to gain comprehensive access to the appliance's administrative functions and underlying system data. When attackers retrieve backup archives, they may obtain complete database snapshots containing administrative password hashes, user credentials, and sensitive configuration parameters that could be used for further attacks within the network. The exposure of credential hashes provides attackers with potential entry points to other systems that may share similar authentication mechanisms, while database contents could reveal internal network topology, service configurations, and communication patterns. This vulnerability creates a pathway for attackers to escalate privileges and potentially compromise the entire communication infrastructure, as the appliance typically serves as a central point of control for multiple telephony services. The impact is particularly severe in enterprise environments where these appliances may be directly accessible from external networks or where insufficient network segmentation prevents proper isolation of critical systems.
Mitigation strategies should prioritize immediate network segmentation and access control implementation to restrict direct external access to these appliances. Organizations must ensure that the download.php endpoint is properly secured through authentication mechanisms and input validation that prevents arbitrary path traversal attacks. The implementation of proper access controls aligns with ATT&CK technique T1213 which focuses on data from information repositories, and the vulnerability itself represents a failure to maintain proper access control boundaries. Regular security assessments should include verification of file access controls and proper implementation of input validation to prevent similar issues in other network infrastructure components. Additionally, organizations should implement network monitoring to detect suspicious file access patterns and establish procedures for regular firmware updates to address known vulnerabilities. The remediation process must include not only patching the specific vulnerability but also reviewing and strengthening overall access control policies for all network infrastructure devices that handle sensitive data, ensuring that the principle of least privilege is properly enforced across all system components.