🔴 CVE-2019-19006

Authentication bypass vulnerability in Sangoma FreePBX allowing remote unauthenticated access to administrative functions. This is a critical vulnerability with CVSS 9.8 that has been actively exploited in the wild and added to CISA KEV.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2019-11-21

Added to CISA KEV: 2026-02-03 2266 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2019-19006 is an improper authentication vulnerability affecting Sangoma FreePBX, a widely used open-source IP PBX (Private Branch Exchange) system [1] [2].

Key Details
FeatureStatus
Active ExploitationYes, it is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog as of February 2026 [3].
Attack VectorRemote (Network-based) [2].
User InteractionNot required.
ImpactAuthentication bypass, allowing unauthorized access to the administrative interface.
Affected VersionsFreePBX 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below [1].
Analysis
  • Active Exploitation & Threat Actors: As of February 2026, CISA formally added this vulnerability to its KEV catalog due to evidence of active exploitation in the wild [3]. While specific threat actor campaigns are not always detailed in public CVE databases, vulnerabilities in PBX systems are frequently targeted for unauthorized access, toll fraud, and monetization through the hijacking of telephony infrastructure [2].
  • Attack Method: The vulnerability stems from incorrect access control within the FreePBX administrative framework. It allows a remote, unauthenticated attacker to bypass authentication mechanisms and gain administrative access to the system [1].
  • Impact: Successful exploitation grants an attacker administrative control over the FreePBX instance. This can lead to full system compromise, including the ability to modify system configurations, intercept communications, or use the PBX for malicious activities such as toll fraud.
  • Mitigation & Patch Status: Users are strongly advised to update to a version of FreePBX that contains the fix. Sangoma provided guidance and patches shortly after the vulnerability's disclosure in late 2019 [2]. Organizations should verify their current version and apply all available security updates immediately. If patching is not immediately possible, restricting access to the administrative interface to trusted IP addresses via firewall rules is a critical compensating control.

Sources

  1. CVE-2019-19006 | Tenable®

    Description. Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. ... Details Source: Mitre, NVD Published: 2019-11-22 Updated: 2026-02-04 Known Exploited Vulnerability (KEV) Risk Information CVSS v2 Base Score: 7.5 ... Details.

  2. NVD - CVE-2019-19006

    CVE-2019-19006 Detail Description Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. ... National Vulnerability Database. Vulnerabilities.Broken Link. https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-f…

  3. CISA Adds Four Known Exploited Vulnerabilities to Catalog

    CISA Adds Four Known Exploited Vulnerabilities to Catalog ; CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability ; CVE-2021-39935 ... CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2019-19006…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed