CVE Watch · Published 2026-05-29

Four FreePBX CVEs landed together. Your phones may be live and exposed.

On May 29 the FreePBX security team published four CVEs in one batch. Three sit above CVSS 8.0. One is a pre-auth User Control Panel takeover with hard-coded credentials (CVE-2026-46376, CVSS 9.3). PoC code is public on GitHub. If you run FreePBX 16.x or 17.x, you need to patch and verify today, not next week. When phones go down, businesses stop. That's what makes this cluster ugly.

The four CVEs in one table

  • CVE-2026-46376 · CVSS 9.3 Critical · UCP unauthenticated access via hard-coded initial template credentials. Affects 15.0.42 up to (but not including) 16.0.45 and 17.0.7. Fixed in 16.0.45 / 17.0.7. If the admin enabled UCP and never changed the default template credentials, anyone on the internet can log in.
  • CVE-2026-44238 · CVSS 8.5 High · SQL injection in the CDR Reports module via the order and sort POST parameters. Requires an Admin Control Panel account with CDR access — not full admin. Fixed in 16.0.50 / 17.0.11.
  • CVE-2026-44237 · CVSS 7.6 High · The OAuth2 implementation in the API module accepts any client_secret when paired with a valid client_id. The validateClient() method literally returns true. Fixed in 17.0.8.
  • CVE-2026-44239 · CVSS 7.6 High · Path traversal via rawname in the Dashboard module's getcontent AJAX handler. Lets an authenticated admin include arbitrary .class.php files. Fixed in 16.0.22 / 17.0.5.

Why four CVEs at once is a bigger problem than one

A single CVE drop, you patch and move on. A four-CVE cluster means the project has had multiple eyes on the codebase recently, and there's usually more coming. It also means automated scanners pivot fast. The FreePBX user agent in Shodan banners is distinctive. Within 72 hours of a cluster like this, mass scanning starts. Within two weeks, the first wave of compromises shows up on Reddit and the FreePBX community forum.

The one I'd worry about most is CVE-2026-46376. UCP (User Control Panel) is what end users log into to check their voicemail, set call forwarding, and listen to recordings. Most admins enable it, forget about the initial template account, and never look again. Hard-coded credentials in a web-facing component is the kind of bug that gets weaponised by opportunistic scanners the same week it's published.

Who's most exposed

VoIP service providers running multi-tenant FreePBX. Small and medium businesses on a self-managed FreePBX VPS with port 80/443/UCP exposed. MSPs managing phone systems for law firms, medical clinics, real estate offices, call centers — these clients usually have CDR access enabled for billing, which is exactly what CVE-2026-44238 needs.

If your FreePBX login is reachable from the public internet without IP allow-listing, if you haven't updated since April, or if you can't tell me which extensions had UCP enabled by default, you're in scope.

Free resources

Phones already down? Need help patching without breaking calls?

FreePBX upgrades on live systems are not a five-minute job. We patch with the call queue still answering.

$99 Version Audit Call 30-min screenshare, we patch together
$199 UCP Lockdown Audit every UCP account + force creds reset
$399 Full Patch Package All four CVEs patched + IOC review + report
$599–$1,499 Multi-server / MSP Bulk patch across customer fleet
Request CVE repair

Want CVE alerts in your inbox?

Ping7 runs a public CVE early-warning radar that filters NVD and CISA KEV for vulnerabilities relevant to web hosting, WordPress, FreePBX, and the rest of the small-business server stack. One email per Critical CVE that actually matters. No spam, no partner sales.

Subscribe (or just bookmark this page)

References

Ping7 is not affiliated with FreePBX, Sangoma, or any VoIP vendor. All trademarks belong to their owners. This page references public CVE data only and does not include proof-of-concept code, exploitation steps, or any information that goes beyond public advisories.