Skip to content

2026-02-03 — Sangoma FreePBX Remote Admin authentication bypass (CVE-2019-19006)

Signal: Added to CISA KEV on 2026-02-03.

Impact (per CISA): Improper authentication that can potentially allow unauthorized users to bypass password authentication and access services provided by the FreePBX admin.

Vendor/Product: Sangoma FreePBX

Why this matters

An admin auth bypass in a telephony management platform can rapidly become full compromise: - call routing manipulation / toll fraud - credential theft (SIP trunks, provider accounts) - lateral movement via the host

KEV status implies exploitation is known and active.

Triage (15–30 minutes)

  1. Confirm exposure

  2. Determine whether FreePBX admin endpoints are reachable from the internet or untrusted networks.

  3. Check patch/mitigation status

  4. Validate your deployed version against the vendor advisory for CVE-2019-19006.

  5. Preserve logs

  6. Web server access logs, FreePBX admin/auth logs, and any reverse proxy/WAF logs.

Mitigation (do now)

  1. Apply vendor mitigations/patches

  2. Follow FreePBX’s advisory guidance.

  3. Access control hardening

  4. Restrict admin UI to VPN/allowlists.
  5. Enforce MFA where possible.

  6. Ensure strong unique admin credentials.

  7. Post-fix hardening

  8. Rotate admin credentials and any secrets stored in the system.
  9. Review admin user list and roles for unexpected changes.

Hunt / detection ideas

  • Unexpected admin logins or sessions, especially from new IPs
  • Requests to admin endpoints that succeed without expected authentication flow
  • New/modified call routing, outbound dialing rules, or trunk configs
  • Signs of toll fraud: unusual call volume, destination patterns, after-hours spikes

References