Primary

Context

AudioCodes Fax Server and Auto-Attendant IVR Unauthenticated File Upload Vulnerability

Vulnerability

Patched

A vulnerability exists in AudioCodes Fax Server and Auto-Attendant IVR appliances in versions through 2.6.23. The issue arises from a web administration component that provides an unauthenticated file upload endpoint. This endpoint accepts files and saves them in a temporary directory without any authentication, authorization, or file-type validation. As a result, a remote, unauthenticated attacker could upload or overwrite files related to prompts or music-on-hold, potentially disrupting IVR audio content or setting the stage for further attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of IVR audio files, allowing attackers to disrupt service or manipulate content for malicious purposes.

Added: Nov 19, 2025, 5:26 PM

Updated: Nov 19, 2025, 7:41 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

1.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

1.1

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AudioCodes Fax Server and Auto-Attendant IVR Unauthenticated File Upload Vulnerability

Vulnerability

Impact

Affected Products

AudioCodes Auto-Attendant IVR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating