Access Control Flaw in Sangoma FreePBX Products
CVE-2019-19006

9.8CRITICAL

Key Information:

Vendor

Sangoma

Status
Freepbx
Vendor
CVE Published:
21 November 2019

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 21%๐Ÿฆ… CISA Reported

What is CVE-2019-19006?

Sangoma FreePBX is affected by an access control vulnerability that allows unauthorized users to bypass authentication mechanisms. Versions 115.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below are impacted, potentially enabling attackers to gain unwanted access to administrative features. It is crucial for users of these versions to apply security patches to mitigate the risk associated with this vulnerability.

CISA has reported CVE-2019-19006

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2019-19006 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

https://www.freepbx.org/category/blog/
x_refsource_MISC
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Ad...
x_refsource_CONFIRM
https://community.freepbx.org/t/freepbx-security-vulnerab...
x_refsource_MISC

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฆ…

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

.