AudioCodes Fax Server and Auto-Attendant IVR Unauthenticated Backup Upload Vulnerability Leading to Remote Code Execution

A vulnerability exists in AudioCodes Fax Server and Auto-Attendant IVR appliances in versions through 2.6.23. These appliances expose an unauthenticated backup upload endpoint in the F2MAdmin web interface. The endpoint allows remote attackers to upload files without authentication or authorization, and without validating file types. The uploaded files are moved to a backup directory determined by the application's configuration. On default Windows installations, this directory typically resolves to the system drive. This flaw enables attackers to upload web server or interpreter configuration files that can be executed as code, potentially leading to arbitrary command execution under the web server account, which has NT AUTHORITY\SYSTEM privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, under the context of the web server account with NT AUTHORITY\SYSTEM privileges.