Hardcoded Credentials Vulnerability in Sangoma FreePBX Products
CVE-2023-26566

8.6HIGH

Key Information:

Vendor: Sangoma
Vendor: CVE Published:; 14 May 2024

What is CVE-2023-26566?

The vulnerability in Sangoma FreePBX versions 1805 through 2203 on Linux is characterized by hardcoded credentials within the Asterisk REST Interface (ARI). This poses a significant risk, as it enables remote attackers to gain unauthorized access, allowing them to reconfigure Asterisk settings. Exploitation can be executed via HTTP and WebSocket requests directed at the ARI API, potentially leading to unauthorized external and internal call capabilities. Organizations using affected FreePBX versions should prioritize mitigating this vulnerability to safeguard their communication systems.

References

https://qsecure.com.cy/resources/advisories/sangoma-freep...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024

CVE-2023-26566 Data

JSON