CVE-2019-19006
Published: 21 November 2019
Summary
CVE-2019-19006 is a critical-severity Improper Authentication (CWE-287) vulnerability in Sangoma Freepbx. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Sangoma FreePBX versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below contain an incorrect access control vulnerability tracked as CWE-287. The issue is rated 9.8 under CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network-accessible improper authentication that affects the administrative interface of the PBX platform.
An unauthenticated remote attacker can exploit the flaw to bypass login controls entirely, obtaining administrative privileges that permit arbitrary changes to system configuration, call routing, user accounts, and other sensitive PBX functions.
Public advisories published by Sangoma and the FreePBX project under identifier SEC-2019-001 describe the issue as a remote admin authentication bypass and direct administrators to the project wiki and community forums for patch availability and remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-8659
Vulnerability details
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
- CWE(s)
- KEV Date Added
- 03 February 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on the administrative interface that the CVE bypasses.
Requires identification and authentication of users before granting access to PBX admin functions.
Restricts and secures remote network access to the administrative interface exposed by the vulnerable FreePBX versions.