A critical security flaw in the FreePBX User Control Panel has been publicly disclosed, allowing unauthenticated attackers to access business VoIP phone systems via hard-coded template credentials, with no login required.
Security researchers have identified a severe vulnerability tracked as CVE-2026-46376, classified under CWE-798 (Use of Hard-Coded Credentials), affecting FreePBX versions 16 and 17.
The vulnerability was published via GitHub Security Advisory GHSA-m55x-h47x-v3gx approximately two weeks ago and carries a CVSS v4.0 Base Score of 9.1 (Critical), making it one of the most serious flaws disclosed in VoIP infrastructure software this year.
FreePBX is one of the world’s most widely deployed open-source IP PBX (Private Branch Exchange) platforms, maintained by Sangoma Technologies.
It powers business telephone systems from small offices to large enterprises, managing calls, voicemail, conferencing, and user portals.
Its open-source nature and widespread adoption make it a high-value target for threat actors, and any critical vulnerability in its codebase could expose thousands of organizations worldwide.
The affected component is the userman (User Management) module, which governs the FreePBX User Control Panel (UCP), an interface that allows individual users to manage their own phone extensions, voicemail settings, and call preferences. The User Management module is a core operational component for most FreePBX deployments.
The root cause of this vulnerability lies in the UCP Generic Template Setup Process, an optional but widely used feature that administrators use to simplify bulk UCP deployments.
When this template process is executed, hard-coded sample credentials are embedded into the system as initial placeholder values. These credentials were never designed for production use, but FreePBX did not force administrators to change them immediately after setup.
As a result, any unauthenticated user who knows or guesses these template credentials can log directly into the UCP interface without any additional authentication challenge.
While authenticated access to the Administrator Control Panel (ACP) is required to configure UCP templates initially, the vulnerability persists afterward if the credentials are not rotated.
The issue was introduced in a code commit in 2021 and remained undetected in production environments for nearly five years.
The CVSS v4.0 attack vector is fully remote (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), meaning exploitation is trivial for any attacker who can reach the UCP interface from the internet.
The vulnerable system impact metrics indicate High Confidentiality (VC:H) and High Integrity (VI:H) impact, confirming that successful exploitation can expose sensitive user data and allow configuration manipulation of an organization’s entire phone system.
Affected Versions
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-46376 |
| GHSA | GHSA-m55x-h47x-v3gx |
| CWE | CWE-798 (Use of Hard-Coded Credentials) |
| CVSS v4.0 Base Score | 9.1 (Critical) |
| CVSS-BTES Score | 6.9 (Medium) |
| Attack Vector | Network (Remote) |
| Privileges Required | None |
| Affected: FreePBX 16 | userman < 16.0.45 |
| Patched: FreePBX 16 | 16.0.45 |
| Affected: FreePBX 17 | userman < 17.0.7 |
| Patched: FreePBX 17 | 17.0.7 |
| Vulnerability Introduced | 2021 |
| Disclosed | May 2026 |
According to Positive Technologies’ vulnerability database, hardcoded credentials in the userman module could allow unauthenticated access to the portal, potentially exposing entire business phone systems to malicious actors.
VoIP systems are particularly high-value targets because they store call recordings, voicemail audio, extension directories, user PINs, and internal routing configurations, all of which can be weaponized for corporate espionage, social engineering, or operational disruption.
This vulnerability is especially dangerous for organizations that have internet-facing FreePBX deployments without VPN or firewall restrictions on the UCP interface.
The CVSS Threat Environment Supplemental (BTES) score of 6.9 reflects that while the base risk is critical, the attack requirement of a specific deployment condition (running UCP generic templates) slightly narrows the real-world attack surface.
This CVE also joins a growing list of serious FreePBX security issues, including CVE-2025-57819, which involved unauthenticated Remote Code Execution (RCE) via the Endpoint Manager module, highlighting that FreePBX deployments require continuous, proactive security hardening.
Mitigation
FreePBX developers released fixed versions alongside the advisory disclosure. Administrators should act immediately:
- Update FreePBX 16 userman module to version 16.0.45, or later, this version randomizes the UCP template password, eliminating the hard-coded credential risk
- Update FreePBX 17 userman module to version 17.0.7 or later
- Enforce MFA or SAML on the Administrator Control Panel using the FreePBX User Management, SysAdmin VPN, MFA, or SAML modules.
- Deploy the FreePBX Firewall module and restrict UCP and ACP access exclusively to trusted, registered IP addresses the Firewall module can limit UCP access to IPs with successfully registered SIP phones.
- Audit all active UCP template configurations to confirm no default credentials remain active in production
- Monitor access logs for suspicious unauthenticated login activity targeting the UCP interface.
The vulnerability was reported by researcher s0nnyWT, coordinated by chrsmj, and patched by Sangoma-Heera on the remediation side.
FAQ
Q1: Who is affected by CVE-2026-46376?
Any organization running FreePBX 16 (below v16.0.45) or FreePBX 17 (below v17.0.7) with the UCP Generic Template feature enabled and default credentials unchanged is directly at risk.
Q2: Can CVE-2026-46376 be exploited remotely without authentication?
Yes, the CVSS v4.0 vector confirms the attack requires no privileges, no user interaction, and is fully network-exploitable from any remote location with access to the UCP interface.
Q3: Does simply having FreePBX installed make me vulnerable?
No, the vulnerability specifically requires that the administrator ran the optional UCP Generic Template setup and never changed the hard-coded sample credentials afterward.
Q4: What is the fastest way to fix this vulnerability?
Update the userman module via FreePBX’s Module Admin interface to version 16.0.45 or 17.0.7. The patch automatically randomizes the template password, neutralizing the exploit.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
