FreePBX Vulnerability Allows Attackers Access to User Port

A critical vulnerability impacting the open-source IP PBX platform FreePBX could grant unauthenticated attackers unauthorized access to user portals.

The issue, tracked as CVE-2026-46376, affects the User Control Panel (UCP) interface due to hard-coded credentials in the userman module.

It impacts FreePBX versions before 16.0.45 and 17.0.7. Systems running outdated versions are at risk if administrators have not properly modified default credentials during initial configuration.

FreePBX Vulnerability

The flaw stems from the use of hard-coded sample credentials embedded in the UCP generic template during the setup process.

Although optional and designed to simplify deployment, this setup can create a serious security risk if administrators do not change the default credentials after initialization.

Once the template is configured, these credentials may remain active, allowing unauthenticated users to log in to the UCP without valid authentication.

Notably, attackers do not need prior access, privileges, or user interaction to exploit this issue, making it highly dangerous in exposed environments.

The vulnerability is categorized under CWE-798 (Use of Hard-coded Credentials), a well-known weakness that often leads to unauthorized access.

The vulnerability has been assigned a CVSS v4 base score of 9.1 (Critical), indicating a high level of risk.

The attack vector is network-based and low-complexity, and exploitation does not require authentication.

Successful exploitation could lead to:

• Unauthorized access to user accounts via the UCP interface.
• Exposure of sensitive user data.
• Potential manipulation of user settings and configurations.

While the vulnerability does not directly affect system availability, its impact on confidentiality and integrity is rated high.

The vulnerability was publicly disclosed under advisory GHSA-m55x-h47x-v3gx by security researcher chrsmj.

FreePBX developers have released patches to address the issue. Administrators are strongly advised to upgrade immediately:

• FreePBX 16 users should update to version 16.0.45 or later.
• FreePBX 17 users should update to version 17.0.7 or later.

Additional security measures include:

• Ensuring all default or template credentials are changed during setup.
• Restricting access to the Administrator Control Panel (ACP) using VPN, MFA, or SAML.
• Using the FreePBX Firewall module to limit UCP and ACP access to trusted IP addresses.
• Blocking access from untrusted or hostile networks.

Organizations should also audit existing deployments to identify systems where UCP templates were enabled without credential changes.

The vulnerability stemmed from a code change introduced in 2021 and was reported by researcher s0nnyWT, coordinated by chrsmj, with remediation developed by Sangoma.

Given its ease of exploitation and high impact, this vulnerability underscores the ongoing risks posed by insecure default configurations. It underscores the need for strict credential management practices in enterprise systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.