AudioCodes Fax Server and Auto-Attendant IVR Unauthenticated File Read Vulnerability

Vulnerability

A file read vulnerability has been identified in AudioCodes Fax Server and Auto-Attendant IVR appliances, affecting versions through 2.6.23. The vulnerability arises from the download.php script, which lacks proper access controls, allowing remote, unauthenticated users to read files from the appliance by specifying file paths and names. Although the vulnerability is restricted to certain file extensions, it can be exploited to access sensitive backup archives that contain internal databases and credential hashes. This exploitation could lead to the disclosure of administrative password hashes and other confidential configuration information.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, including administrative password hashes and critical configuration data.

Added: Nov 19, 2025, 5:36 PM

Updated: Nov 19, 2025, 7:40 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AudioCodes Fax Server and Auto-Attendant IVR Unauthenticated File Read Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating