FreePBX User Management Hit by Critical Hard-Coded Credentials Flaw
FreePBX User Management Hit by Critical Hard-Coded Credentials Flaw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
FreePBX User Management Hit by Critical Hard-Coded Credentials Flaw
A newly disclosed vulnerability — CVE-2026-46376 — allows unauthenticated attackers to gain portal access on FreePBX 16 and 17 systems where default credentials were never rotated after setup.
A critical security vulnerability has been disclosed in FreePBX’s User Management (userman) module, exposing enterprise VoIP deployments running FreePBX 16 and 17 to unauthorized access. The flaw, assigned CVE-2026-46376 with a CVSS v4.0 base score of 9.1 (Critical), was published via GitHub Security Advisory (GHSA-m55x-h47x-v3gx) on May 15, 2026, and is being actively tracked by Canada’s Cyber Centre, which issued formal advisory AV26–474 urging immediate patching.
All administrators running FreePBX 16 (userman ≤ 16.0.44) or FreePBX 17 (userman ≤ 17.0.6) with the UCP generic template setup enabled should upgrade immediately and audit active UCP sessions for unauthorized logins.
What Is the Vulnerability?
The flaw — classified under CWE-798 (Use of Hard-Coded Credentials) — resides in FreePBX’s optional UCP (User Control Panel) generic template setup process. When administrators use this feature to simplify mass UCP deployments, hard-coded sample credentials are embedded by default. If those credentials are never changed after setup, any unauthenticated user on the network can exploit them to gain portal access with no privileges required, no user interaction, and no complex attack chain needed.
Historical commit analysis reveals the vulnerability was silently introduced into the FreePBX userman codebase in 2021, meaning systems that ran the generic template setup at any point after that year may have been silently exposed for up to five years. The flaw was reported by researcher s0nnyWT and patched by Sangoma-Heera.
CVE Details at a Glance
Hard-Coded Credentials in FreePBX User Management (userman)
Affects the UCP generic template setup flow. Hard-coded sample credentials embedded during setup grant unauthenticated network access to the User Control Panel if credentials are never rotated. No privileges, no user interaction, and no complex exploit chain required. Attack vector: Network. Complexity: Low. Classified CWE-798.
While the CVSS v4.0 base score is 9.1 (Critical), the Base Threat Environment Supplemental (BTES) score is rated 6.9 (Medium), reflecting that exploitation requires the hard-coded credentials to remain unchanged and that no active exploit code has been confirmed in the wild as of the advisory date. Nevertheless, given FreePBX’s active exploitation history — including CVE-2025-57819, a zero-day with a CVSS score of 9.8 that was confirmed exploited — the risk to unpatched systems should be treated as serious.
Affected Versions & Patched Releases
| Platform | Vulnerable Versions | Patched Version | Status |
|---|---|---|---|
| FreePBX 16 | userman ≤ 16.0.44 | 16.0.45 | ✓ Patch Available |
| FreePBX 17 | userman ≤ 17.0.6 | 17.0.7 | ✓ Patch Available |
Note: FreePBX 15 is not listed as affected by this specific vulnerability. The fix in both patched versions randomizes all default passwords that were previously hard-coded during the generic template setup.
Context: FreePBX’s Broader Security Landscape
This disclosure follows a turbulent stretch of security fixes across the FreePBX ecosystem. In late 2025 and early 2026, several critical vulnerabilities were disclosed and patched across different modules — many involving issues that had accumulated in the codebase over multiple years, spanning both open-source and commercial modules. These included SQL injection flaws in the Endpoint Management module (CVE-2025-61675), an authentication bypass (CVE-2025-66039), and a file upload vulnerability enabling remote code execution (CVE-2025-61678). Several of these were added to the CISA Known Exploited Vulnerabilities (KEV) Catalog.
CVE-2026-46376 is a distinct and separate issue from those prior vulnerabilities. It is not a SQL injection or cross-site scripting flaw — it is a hard-coded credentials problem in a different module (User Management), affecting a different attack surface (the UCP portal) and requiring a different remediation.
Recommended Actions
- Upgrade immediately — Update the
usermanmodule to version 16.0.45 (FreePBX 16) or 17.0.7 (FreePBX 17) via the Module Admin panel. - Audit UCP sessions — Review all active and recent sessions in the User Control Panel for signs of unauthorized logins, especially on systems that ran the generic template setup after 2021.
- Restrict admin panel access — Use the FreePBX Firewall module to limit access to both the Admin Control Panel (ACP) and UCP to trusted IP addresses only.
- Enable MFA or SAML — Use the SysAdmin VPN, MFA, or SAML modules to add an additional authentication layer on top of User Management.
- Rotate all credentials — Even after patching, manually verify and rotate any UCP credentials that may have used the default template values.
- Monitor for exploitation — Review web server logs for anomalous authentication activity on UCP endpoints.
Official Resources
Administrators should consult the official FreePBX security advisories and the GitHub Security Advisory (GHSA-m55x-h47x-v3gx) for full technical details. Canada’s Cyber Centre advisory AV26–474, published May 15, 2026, also provides guidance for affected organizations.
