CVE-2019-19006: FreePBX Authentication Bypass Under Active Attack

CVE ID: CVE-2019-19006

Severity: CRITICAL | CVSS: 9.8

Sources: 2 different security sources

Status: ACTIVELY EXPLOITED (Added to CISA KEV Catalog February 3, 2026)

Let Me Explain What Happened

Here's what's going on, and why I need you to pay attention to this one. A vulnerability that was first disclosed back in November 2019 in Sangoma FreePBX—a popular open-source phone system used by thousands of businesses—is now being actively exploited in the wild. Think of FreePBX as the software that manages your company's phone system, handling everything from voicemail to call routing. This vulnerability is like having a back door to your office that anyone can open, even though it's supposed to be locked with a security code.

On February 3, 2026, CISA (the Cybersecurity and Infrastructure Security Agency) added this vulnerability to their Known Exploited Vulnerabilities catalog, which means they have concrete evidence that attackers are actively using this flaw right now to break into systems. This isn't a theoretical risk anymore—it's happening in the real world, and if you're running an affected version of FreePBX, you need to take action today.

A Bit More Detail

The vulnerability affects FreePBX versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below. What makes this particularly dangerous is that it's an authentication bypass vulnerability—attackers don't need a username or password to get in. They can potentially access administrative services and take complete control of your phone system without any credentials at all. With a CVSS score of 9.8 out of 10, this is about as serious as vulnerabilities get.

The National Vulnerability Database classifies this as CWE-287, which is "Improper Authentication." In plain terms, the software isn't properly checking whether someone should be allowed in before giving them access. It's like a bouncer at a club who forgot to check IDs—anyone can just walk right in.

The Technical Specifics

• Attack Vector: Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Attack Complexity: Low—attackers don't need special conditions or sophisticated techniques
• Privileges Required: None—no authentication needed
• User Interaction: None—completely automated attacks are possible
• Affected Products:
  • Sangoma FreePBX 15.0.16.26 and below
  • Sangoma FreePBX 14.0.13.11 and below
  • Sangoma FreePBX 13.0.197.13 and below
• CWE Classification: CWE-287 (Improper Authentication)
• Impact: Complete compromise of confidentiality, integrity, and availability

Why This Matters Now (Seven Years Later)

You might be wondering why we're talking about a vulnerability from 2019. That's a fair question, and here's the concerning answer: many organizations never patched this issue. FreePBX systems often run for years without updates, especially in small to medium businesses where IT resources are limited. Attackers know this, and they're systematically scanning the internet for vulnerable systems they can exploit.

When CISA adds a vulnerability to their KEV catalog, it's because they have evidence of active exploitation. This means threat actors are right now, today, scanning for and compromising vulnerable FreePBX installations. If your system is exposed to the internet and running an affected version, you should assume it's being targeted.

What You Should Do About This

Let me walk you through the steps you need to take, starting with the most urgent actions:

• Right Now (Emergency Response):
  • Identify your FreePBX version: Log into your FreePBX admin interface and check the version number in the dashboard. If you're running version 15.0.16.26 or below, 14.0.13.11 or below, or 13.0.197.13 or below, you're vulnerable.
  • Check for compromise: Review your FreePBX admin access logs for any unauthorized access, especially from unfamiliar IP addresses. Look for administrative changes you didn't make, new user accounts, or modifications to call routing rules.
  • Restrict network access: If possible, immediately restrict access to your FreePBX admin interface to only trusted IP addresses. Use firewall rules to block public internet access until you can patch.
  • Monitor for suspicious activity: Watch for unusual call patterns, unexpected international calls, or changes to voicemail settings—all signs that someone may have gained unauthorized access.
• For the Long Term (Remediation):
  • Apply updates immediately: Visit the official FreePBX security advisory at https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass for specific patching instructions. Update to the latest version of FreePBX for your major version branch.
  • Follow CISA guidance: According to CISA's KEV catalog entry, federal agencies must apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. While this directive applies to federal agencies under BOD 22-01, it's excellent guidance for any organization.
  • Implement defense in depth: Even after patching, don't expose your FreePBX admin interface directly to the internet. Use a VPN for administrative access, implement strong firewall rules, and consider placing FreePBX behind a reverse proxy with additional authentication.
  • Enable logging and monitoring: Configure comprehensive logging for all administrative actions and integrate these logs with your SIEM or log management system. Set up alerts for authentication attempts, especially failed ones.
  • Regular security reviews: Schedule quarterly reviews of your FreePBX configuration, user accounts, and access logs. Remove unused accounts and verify that all administrative access is legitimate.

Detection and Hunting Guidance

If you're a security analyst or SOC team member, here's what you should be looking for:

• Network indicators: Look for HTTP/HTTPS requests to FreePBX admin interfaces (/admin/ paths) from unexpected source IPs, especially those with no prior history of legitimate access.
• Authentication anomalies: Monitor for successful administrative sessions that bypass normal authentication flows. Look for admin-level actions without corresponding authentication log entries.
• Configuration changes: Alert on any modifications to FreePBX configuration files, especially changes to authentication settings, user accounts, or call routing rules.
• Behavioral indicators: Watch for unusual call patterns following potential compromise, such as sudden spikes in international calls, calls to premium-rate numbers, or changes to call forwarding settings.

For SIEM correlation, consider creating rules that flag:

source_ip NOT IN (known_admin_ips) 
AND url CONTAINS "/admin/" 
AND http_status = 200 
AND session_created = true

The Bigger Picture

This vulnerability serves as an important reminder about the lifecycle of security issues. Just because a vulnerability is old doesn't mean it's not dangerous. In fact, older vulnerabilities can be more dangerous because exploit code is widely available, and attackers know that many organizations never applied patches.

FreePBX systems are particularly attractive targets because they often handle sensitive business communications and can be used as pivot points into broader networks. A compromised phone system can be used for toll fraud (making expensive international calls on your dime), eavesdropping on conversations, or as a foothold for further network penetration.

The fact that CISA added this to their KEV catalog in 2026—seven years after the initial disclosure—tells us that organizations are still running vulnerable versions and attackers are still finding success exploiting them. Don't let your organization be one of them.

Where I Found This Information

• National Vulnerability Database - CVE-2019-19006 (Authoritative technical details and CVSS scoring)
• CISA Alert: CISA Adds Four Known Exploited Vulnerabilities to Catalog (Credibility: 10) - February 3, 2026
• CISA Known Exploited Vulnerabilities Catalog - CVE-2019-19006 (Credibility: 10) - Active exploitation confirmation
• FreePBX Official Security Advisory - Original vendor disclosure and remediation guidance
• FreePBX Community Forum - SEC-2019-001 - Community discussion and additional context

Note: This is automated security intelligence based on multiple sources. Always test updates carefully in a non-production environment before applying them to production systems. The addition to CISA's KEV catalog indicates active exploitation—treat this with appropriate urgency.