Ruth Elizabeth Abbott

**Name of the Vulnerable Software and Affected Versions** 3CX Phone System Management Console versions prior to 18 Update 3 FINAL **Description** An issue was discovered in the 3CX Phone System Management Console, where an unauthenticated attacker could abuse improperly secured access to arbitrary files on the server, leading to cleartext credential disclosure. This is achieved through directory traversal in the `/Electron/download` directory, in conjunction with a path component that uses backslash characters. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as `NT AUTHORITYSYSTEM` on Windows installations. Additionally, versions prior to version 18, Hotfix 1 Build 18.0.3.461, are prone to an additional unauthenticated file system access to `C:WindowsSystem32`. **Recommendations** For versions prior to 18 Update 3 FINAL, update to version 18 Update 3 FINAL or later to resolve the issue. As a temporary workaround, consider restricting access to the `/Electron/download` directory to minimize the risk of exploitation. Restrict access to the `C:WindowsSystem32` directory to prevent additional unauthenticated file system access.