Cyber Resilience

CVE-2019-19006

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 November 2019

Published
21 November 2019
Modified
04 February 2026
KEV Added
03 February 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2164 95.9th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-19006 is a critical-severity Improper Authentication (CWE-287) vulnerability in Sangoma Freepbx. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Sangoma FreePBX versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below contain an incorrect access control vulnerability tracked as CWE-287. The issue is rated 9.8 under CVSS 3.1 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network-accessible improper authentication that affects the administrative interface of the PBX platform.

An unauthenticated remote attacker can exploit the flaw to bypass login controls entirely, obtaining administrative privileges that permit arbitrary changes to system configuration, call routing, user accounts, and other sensitive PBX functions.

Public advisories published by Sangoma and the FreePBX project under identifier SEC-2019-001 describe the issue as a remote admin authentication bypass and direct administrators to the project wiki and community forums for patch availability and remediation steps.

EU & UK References

Vulnerability details

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

CWE(s)
KEV Date Added
03 February 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sangoma
freepbx
13.0.0.0 — 13.0.197.13 · 14.0.0.0 — 14.0.13.11 · 15.0.0.0 — 15.0.16.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on the administrative interface that the CVE bypasses.

prevent

Requires identification and authentication of users before granting access to PBX admin functions.

AC-17 Remote Access partial match
prevent

Restricts and secures remote network access to the administrative interface exposed by the vulnerable FreePBX versions.

References