CVE-2025-34330 MEDIUM

CVE-2025-34330: AudioCodes Fax/IVR Appliance <= 2.6.23 Unauthenticated Prompt File Upload via ajaxPromptUploadFile.php

Vendor Audiocodes Limited
Product AudioCodes Fax/IVR Appliance
Weakness CWE-434 · Unrestricted file upload
Published November 19, 2025
Last update November 20, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold–related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 20, 2025 Record updated