| |
Vulnerability CVE-2022-28005
Published: 2022-05-06
| Description: |
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server, leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. Versions prior to version 18, Hotfix 1 Build 18.0.3.461 March 2022, are prone to an additional unauthenticated file system access to C:\Windows\System32. |
References: |
https://www.3cx.com/blog/releases/v18-security-hotfix/
https://www.3cx.com/blog/change-log/phone-system-change-log/
https://www.3cx.com/blog/releases/v18-update-3-final/
|
|
|
closedb();
?>
Copyright 2026, cxsecurity.com
|
|
|