CVE-2019-19006

Published Nov 21, 2019

Last updated 2 months ago

Exploit knownCVSS critical 9.8

Overview

Description
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
Source
cve@mitre.org
NVD status
Analyzed
Products
freepbx

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

CVSS 2.0

Type
Primary
Base score
7.5
Impact score
6.4
Exploitability score
10
Vector string
AV:N/AC:L/Au:N/C:P/I:P/A:P

Known exploits

Data from CISA

Vulnerability name
Sangoma FreePBX Improper Authentication Vulnerability
Exploit added on
Feb 3, 2026
Exploit action due
Feb 24, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-287
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-287

Social media

Hype score
Not currently trending

  1. KEV de CISA (explotadas): SolarWinds Web Help Desk CVE-2025-40551 (RCE) + FreePBX CVE-2019-19006 (auth bypass) y CVE-2025-64328 (cmd inj). Si en MX lo operas, prioriza parche/mitigación hoy. https://t.co/Qx2MUYiM2S #Ciberseguridad #Mexico

    @BotBauR

    4 Feb 2026

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. KEV追加 CVE-2019-19006 Sangoma FreePBX CVE-2021-39935 GitLab Community and Enterprise Editions CVE-2025-40551 SolarWinds Web Help Desk CVE-2025-64328 Sangoma FreePBX

    @papa_anniekey

    4 Feb 2026

    613 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. ‼️ CISA has added 4 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2025-40551: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability CVE-2019-19006: Sangoma FreePBX Improper Authentication Vulnerability CVE-2025-64328: Sangoma FreePBX OS

    @DarkWebInformer

    3 Feb 2026

    3051 Impressions

    4 Retweets

    17 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.CVE-2026-28287
  2. FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.CVE-2026-28284
  3. FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.CVE-2026-28210
  4. FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5.CVE-2026-28209
  5. FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api (PBX API) is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT with full access to the REST and GraphQL APIs on a FreePBX that they've already connected to, possibly as a lower privileged user. The JWT is signed using the api-oauth.key private key. An attacker can generate their own token if they possess this key (e.g., by accessing an affected instance), and specify any scopes they wish (e.g., rest, gql), bypassing traditional authorization checks. However, FreePBX enforces that the jti (JWT ID) claim must exist in the database (api_access_tokens table in the asterisk MySQL database) in order for the token to be accepted. Therefore, the attacker must know a jti value that already exists on the target instance. This vulnerability is fixed in 17.0.5 and 16.0.17.CVE-2025-55210

References

Sources include official advisories and independent security research.