CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2019-19006

CVSS 9.8v3.1pub. 2019-11-21upd. 2026-02-04

Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Sangoma Freepbx

    APP
    Sangoma
    13.0.0.0 – 13.0.197.1314.0.0.0 – 14.0.13.1115.0.0.0 – 15.0.16.26

CISA KEV — detailsi

Vendori
Sangoma
Producti
FreePBX
Added to KEVi
February 3, 2026
Remediation deadline (US Federal)i
February 24, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 24 lutego 2026
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-57819CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Krytyczna podatność RCE i SQL injection w Sangoma FreePBX (bez uwierzytelnienia)

CVE-2026-46376CRITICAL9.3PL ✓ten sam produkt

FreePBX UCP: dostęp bez uwierzytelnienia przez wbudowane dane logowania

CVE-2025-66039CRITICAL9.3PL ✓ten sam produkt

FreePBX Endpoint Manager — pominięcie uwierzytelnienia (Auth Bypass)

CVE-2021-45461CRITICAL9.8ten sam produkt

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, a...

CVE-2020-10666CRITICAL9.8ten sam produkt

The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allo...