FreePBX Vulnerability Allow Attackers to Gain Access to User Portals

HomeCyber Security News FreePBX Vulnerability Allow Attackers to Gain Access to User Portals By Abinaya May 20, 2026 A critical vulnerability in the open-source IP PBX platform FreePBX could allow unauthenticated attackers to access user portals. The issue, tracked as CVE-2026-46376, affects the User Control Panel (UCP) interface due to hard-coded credentials in the userman module. It impacts FreePBX versions before 16.0.45 and 17.0.7. Systems running outdated versions are at risk if administrators have not properly modified default credentials during initial configuration. FreePBX Vulnerability The flaw stems from the use of hard-coded sample credentials embedded in the UCP generic template during the setup process. Although optional and designed to simplify deployment, this setup can create a serious security risk if administrators do not change the default credentials after initialization. Once the template is configured, these credentials may remain active, allowing unauthenticated users to log in to the UCP without valid authentication. Notably, attackers do not need prior access, privileges, or user interaction to exploit this issue, making it highly dangerous in exposed environments. The vulnerability is categorized under CWE-798 (Use of Hard-coded Credentials), a well-known weakness that often leads to unauthorized access. The vulnerability has been assigned a CVSS v4 base score of 9.1 (Critical), indicating a high level of risk. The attack vector is network-based and low-complexity, and exploitation does not require authentication. Successful exploitation could lead to: Unauthorized access to user accounts via the UCP interface. Exposure of sensitive user data. Potential manipulation of user settings and configurations. While the vulnerability does not directly affect system availability, its impact on confidentiality and integrity is rated high. The vulnerability was publicly disclosed under advisory GHSA-m55x-h47x-v3gx by security researcher chrsmj. FreePBX developers have released patches to address the issue. Administrators are strongly advised to upgrade immediately: FreePBX 16 users should update to version 16.0.45 or later. FreePBX 17 users should update to version 17.0.7 or later. Additional security measures include: Ensuring all default or template credentials are changed during setup. Restricting access to the Administrator Control Panel (ACP) using VPN, MFA, or SAML. Using the FreePBX Firewall module to limit UCP and ACP access to trusted IP addresses. Blocking access from untrusted or hostile networks. Organizations should also audit existing deployments to identify systems where UCP templates were enabled without credential changes. The vulnerability stemmed from a code change introduced in 2021 and was reported by researcher s0nnyWT, coordinated by chrsmj, with remediation developed by Sangoma. Given its ease of exploitation and high impact, this vulnerability underscores the ongoing risks posed by insecure default configurations. It underscores the need for strict credential management practices in enterprise systems. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta Microsoft Research Shows AI Can Generate Realistic Command Lines and Process Telemetry Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address Latest News Cyber Security News Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor Cyber Attack News Microsoft Python Client DurableTask Compromised by TeamPCP Hackers Cyber Security News Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware Cyber Security News GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure Cyber Security News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability