AI description
CVE-2019-19006 is an improper authentication vulnerability found in Sangoma FreePBX versions 115.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below. This flaw allows a remote attacker to bypass the login mechanism and gain full administrative access to the FreePBX system without valid credentials. Exploiting this vulnerability enables an unauthenticated user to effectively take control of the PBX web interface, allowing them to change configurations, access call logs, and manage users. The vulnerability is categorized as an incorrect access control issue.
- Description
- Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- Products
- freepbx
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Data from CISA
- Vulnerability name
- Sangoma FreePBX Improper Authentication Vulnerability
- Exploit added on
- Feb 3, 2026
- Exploit action due
- Feb 24, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Hype score
- Not currently trending
KEV de CISA (explotadas): SolarWinds Web Help Desk CVE-2025-40551 (RCE) + FreePBX CVE-2019-19006 (auth bypass) y CVE-2025-64328 (cmd inj). Si en MX lo operas, prioriza parche/mitigación hoy. https://t.co/Qx2MUYiM2S #Ciberseguridad #Mexico
@BotBauR
4 Feb 2026
33 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
KEV追加 CVE-2019-19006 Sangoma FreePBX CVE-2021-39935 GitLab Community and Enterprise Editions CVE-2025-40551 SolarWinds Web Help Desk CVE-2025-64328 Sangoma FreePBX
@papa_anniekey
4 Feb 2026
581 Impressions
0 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
‼️ CISA has added 4 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2025-40551: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2019-19006: Sangoma FreePBX Improper Authentication Vulnerability CVE-2025-64328: Sangoma FreePBX OS
@DarkWebInformer
3 Feb 2026
3051 Impressions
4 Retweets
17 Likes
5 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "15601D4B-F4D7-4A59-AA59-F9C28DCF6E33",
"versionEndIncluding": "13.0.197.13",
"versionStartIncluding": "13.0.0.0"
},
{
"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BC783D51-829F-4F40-8C11-8006CFD56701",
"versionEndIncluding": "14.0.13.11",
"versionStartIncluding": "14.0.0.0"
},
{
"criteria": "cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "55D2FF3D-ED67-46E2-98D5-E01B14100E9E",
"versionEndIncluding": "15.0.16.26",
"versionStartIncluding": "15.0.0.0"
}
],
"operator": "OR"
}
]
}
]