A critical security vulnerability has been discovered in FreePBX, a widely deployed open-source PBX platform, that enables unauthenticated attackers to access user portals under specific conditions.
Tracked as CVE-2026-46376 with a CVSS v4 base score of 9.1, the flaw affects the User Control Panel (UCP) through the platform’s “userman” module and has been present since 2021.
According to an official advisory published on GitHub (GHSA-m55x-h47x-v3gx), the vulnerability is rooted in the use of hard-coded credentials during the UCP template setup process classified under CWE-798 (Use of Hard-coded Credentials).
The flaw originates from an optional UCP generic template designed to simplify deployments. While the initial setup requires authenticated access to the Administrator Control Panel (ACP), the vulnerability surfaces afterward.
If administrators fail to manually update or randomize the template credentials post-configuration, those static credentials remain accessible to unauthenticated users over the network.
Attackers can exploit this weakness remotely without authentication or user interaction, making the attack vector especially dangerous for internet-facing deployments. Successful exploitation can result in unauthorized access to sensitive user data within the UCP, compromising both confidentiality and integrity.
Affected Versions
The vulnerability impacts the following FreePBX releases:
| Module | Affected Versions | Patched Version |
|---|---|---|
| Userman (FreePBX 16) | Before 16.0.45 | 16.0.45 |
| Userman (FreePBX 17) | Before 17.0.7 | 17.0.7 |
Given the low attack complexity, network-based exploitation vector, and the flaw’s introduction in 2021, a significant number of unpatched or improperly hardened deployments may remain at risk.
Security researchers warn that threat actors actively scanning for systems with default or unchanged credentials could rapidly identify and exploit exposed FreePBX instances.
Mitigation
Administrators are strongly urged to take immediate action:
- Update the “userman” module to version 16.0.45 (FreePBX 16) or 17.0.7 (FreePBX 17) or later
- Change or randomize all default and template credentials immediately after enabling the UCP feature
- Restrict ACP access using VPN, MFA, or SAML authentication
- Apply firewall rules to limit UCP and ACP interface exposure to trusted IPs only
- Configure FreePBX firewall settings to permit access solely from registered SIP devices or known IP ranges
- Audit existing deployments for weak or unchanged credentials
- Review access logs for any signs of unauthorized access or suspicious activity
The vulnerability was reported by security researcher s0nnyWT and coordinated with FreePBX maintainers. Remediation was developed by Sangoma, the company behind FreePBX.
Organizations relying on FreePBX for voice communications infrastructure should treat this as a priority patch, given the critical CVSS score and the low barrier to exploitation.
With VoIP platforms increasingly targeted by threat actors seeking access to communication data and internal networks, securing FreePBX deployments goes beyond patching a full credential audit and access control review is strongly recommended.
No Comment! Be the first one.