Vulnerability in Windows 3CX telephone systems

Sicherheit (Pexels, allgemeine Nutzung)[German]Anyone running a 3CX system (telephone system) under Windows in a version below v18 Update 3 (Build 450) should react. The manufacturer has released a security update for this product in the form of v18 Update 3 (Build 450).

The 3CX system

3CX is a software-based private branch exchange (PBX). The 3CX PBX is based on the SIP (Session Initiation Protocol) standard. The solution allows extensions to make calls over the Public Switched Telephone Network (PSTN) or via Voice over Internet Protocol (VoIP) services on-site, in the cloud or via a cloud service operated by 3CX. The 3CX Phone System is available for Windows, Linux and Raspberry Pi[ and supports standard SIP soft/hardphones, VoIP services, faxes, voice and web meetings, and traditional PSTN phone lines. Details can be found on the manufacturer's website.

Vulnerability in PBX software

Blog reader Liam contacted me by email back in the middle of the month and pointed out a security update for 3CX systems (thanks for that). He received the following notice from this manufacturer.

Dear Liam,

Our records indicate that you are using a Windows-based 3CX System below v18 Update 3 (Build 450). 3CX systems below this version have been subjected to a security vulnerability.

We are not aware of any exploitation of this vulnerability to date, and therefore we will not disclose further details of the vulnerability at the moment. This is to protect yourselves and other customers from possible malicious attacks. The reporting entity has also agreed to withhold publicly disclosing the CVE until 21st March 2022.

We urge you to upgrade your 3CX System to v18 Update 3 (Build 450) or higher as soon as possible, in order to keep your installation secure.

To upgrade to V18 Update 3

Click on "Updates" in the Management Console's Dashboard, select "v18 Update 3 Final" and click on "Download Selected" to install this update on your PBX.


The 3CX Team

In the meantime, however, there is 3CX Version 18, Hotfix 1 (Security & Memory), Build March 2022 released to fix vulnerabilities.

Addendum: The early feedback from readers was that this software had long since been patched and not too much people are still using the software. I cannot make a final judgement, as I do not know/use the product.

3CX vulnerability

But I came across the above tweet and this article on Medium on 31 March 2022. User @frycos simply used the search engine Shodan to check the availability of the "3CX Phone System Management Console" from the internet. Over 203 thousand instances were found, of which over 31,600 installations are running in Germany – so it seems rather untrue that no one is still using it. In any case, @frycos took a close look at his installation and describes how he was able to take the system apart in terms of security via the 3CX Phone System Management Console.

This entry was posted in Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *